CVE-2026-31924
Received Received - Intake
Cleartext Data Exposure in Apache APISIX Log Export

Publication date: 2026-04-14

Last updated on: 2026-04-17

Assigner: Apache Software Foundation

Description
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31924
EUVD
EUVD-2026-22227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apisix From 2.99.0 (inc) to 3.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31924 is a vulnerability in Apache APISIX versions 2.99.0 through 3.15.0, specifically in the tencent-cloud-cls plugin's log export feature.

The vulnerability involves the transmission of sensitive information in cleartext over HTTP, meaning that sensitive log data is sent without encryption.

This cleartext transmission can allow attackers to intercept and access sensitive information during the log export process.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive log data because the information is transmitted in plaintext over HTTP.

An attacker who intercepts this data could gain access to potentially sensitive information contained in the logs, which could be used for further attacks or data breaches.

To mitigate this risk, users should upgrade Apache APISIX to version 3.16.0, where the issue is fixed.

Detection Guidance

This vulnerability involves the transmission of sensitive information in cleartext over HTTP by the tencent-cloud-cls log export functionality in Apache APISIX versions 2.99.0 through 3.15.0.

To detect this vulnerability on your network or system, you can monitor network traffic for unencrypted HTTP transmissions related to Apache APISIX log exports.

  • Use packet capture tools like tcpdump or Wireshark to filter HTTP traffic on relevant ports and inspect for sensitive log data being transmitted in plaintext.
  • Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and host <apisix-server-ip>'
  • Use curl or similar tools to test the log export endpoint and check if the data is transmitted over HTTP instead of HTTPS.
Mitigation Strategies

The primary mitigation step is to upgrade Apache APISIX to version 3.16.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, avoid using the tencent-cloud-cls log export feature or ensure that log exports are not transmitted over unencrypted HTTP.

Additionally, consider implementing network-level protections such as firewall rules to restrict access to the log export endpoints and monitoring for suspicious traffic.

Compliance Impact

The vulnerability involves the cleartext transmission of sensitive information over HTTP, which can expose sensitive log data to interception by unauthorized parties.

Such exposure of sensitive information may lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive data during transmission.

Therefore, this vulnerability could negatively impact compliance efforts by failing to ensure the confidentiality and security of sensitive information in transit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart