CVE-2026-31923
Cleartext Transmission in Apache APISIX OpenID-Connect Plugin
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apisix | From 0.7 (inc) to 3.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cleartext Transmission of Sensitive Information issue in Apache APISIX. It occurs because the 'ssl_verify' setting in the openid-connect plugin configuration is set to false by default, which means that sensitive information may be transmitted without proper encryption or verification.
The vulnerability affects Apache APISIX versions from 0.7 through 3.15.0.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information being transmitted in cleartext, which exposes it to interception or eavesdropping by unauthorized parties. This can compromise the confidentiality and integrity of the data being transmitted through Apache APISIX.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX, users are recommended to upgrade Apache APISIX to version 3.16.0, which fixes the issue.
This vulnerability occurs because the 'ssl_verify' setting in the openid-connect plugin configuration is set to false by default. Ensuring this setting is properly configured or upgrading to the fixed version will help mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves cleartext transmission of sensitive information due to the openid-connect plugin's ssl_verify setting being false by default. This can lead to interception of sensitive data.
Such exposure of sensitive information could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data during transmission.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs because the `ssl_verify` field in the openid-connect plugin configuration of Apache APISIX is set to false by default, leading to cleartext transmission of sensitive information.
To detect this vulnerability on your system, you should check the configuration of the openid-connect plugin in your Apache APISIX installation to see if `ssl_verify` is set to false.
Additionally, you can monitor network traffic for unencrypted transmission of sensitive data related to openid-connect plugin operations.
- Check the plugin configuration file or API for the `ssl_verify` setting, for example by using commands like `grep -r ssl_verify /path/to/apisix/conf/`.
- Use network packet capture tools such as `tcpdump` or `wireshark` to inspect traffic on relevant ports for unencrypted sensitive information.
- Example command to check configuration: `grep -r ssl_verify /usr/local/apisix/conf/`
- Example command to capture traffic: `tcpdump -i eth0 port 443 -w capture.pcap` and then analyze with Wireshark for any cleartext sensitive data.