CVE-2026-31923
Received Received - Intake
Cleartext Transmission in Apache APISIX OpenID-Connect Plugin

Publication date: 2026-04-14

Last updated on: 2026-04-17

Assigner: Apache Software Foundation

Description
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31923
EUVD
EUVD-2026-22239
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apisix From 0.7 (inc) to 3.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cleartext Transmission of Sensitive Information issue in Apache APISIX. It occurs because the 'ssl_verify' setting in the openid-connect plugin configuration is set to false by default, which means that sensitive information may be transmitted without proper encryption or verification.

The vulnerability affects Apache APISIX versions from 0.7 through 3.15.0.

Impact Analysis

This vulnerability can lead to sensitive information being transmitted in cleartext, which exposes it to interception or eavesdropping by unauthorized parties. This can compromise the confidentiality and integrity of the data being transmitted through Apache APISIX.

Mitigation Strategies

To mitigate the Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX, users are recommended to upgrade Apache APISIX to version 3.16.0, which fixes the issue.

This vulnerability occurs because the 'ssl_verify' setting in the openid-connect plugin configuration is set to false by default. Ensuring this setting is properly configured or upgrading to the fixed version will help mitigate the risk.

Compliance Impact

The vulnerability involves cleartext transmission of sensitive information due to the openid-connect plugin's ssl_verify setting being false by default. This can lead to interception of sensitive data.

Such exposure of sensitive information could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data during transmission.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Detection Guidance

This vulnerability occurs because the `ssl_verify` field in the openid-connect plugin configuration of Apache APISIX is set to false by default, leading to cleartext transmission of sensitive information.

To detect this vulnerability on your system, you should check the configuration of the openid-connect plugin in your Apache APISIX installation to see if `ssl_verify` is set to false.

Additionally, you can monitor network traffic for unencrypted transmission of sensitive data related to openid-connect plugin operations.

  • Check the plugin configuration file or API for the `ssl_verify` setting, for example by using commands like `grep -r ssl_verify /path/to/apisix/conf/`.
  • Use network packet capture tools such as `tcpdump` or `wireshark` to inspect traffic on relevant ports for unencrypted sensitive information.
  • Example command to check configuration: `grep -r ssl_verify /usr/local/apisix/conf/`
  • Example command to capture traffic: `tcpdump -i eth0 port 443 -w capture.pcap` and then analyze with Wireshark for any cleartext sensitive data.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31923. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart