CVE-2026-31924
Cleartext Data Exposure in Apache APISIX Log Export
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apisix | From 2.99.0 (inc) to 3.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31924 is a vulnerability in Apache APISIX versions 2.99.0 through 3.15.0, specifically in the tencent-cloud-cls plugin's log export feature.
The vulnerability involves the transmission of sensitive information in cleartext over HTTP, meaning that sensitive log data is sent without encryption.
This cleartext transmission can allow attackers to intercept and access sensitive information during the log export process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves the cleartext transmission of sensitive information over HTTP, which can expose sensitive log data to interception by unauthorized parties.
Such exposure of sensitive information may lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive data during transmission.
Therefore, this vulnerability could negatively impact compliance efforts by failing to ensure the confidentiality and security of sensitive information in transit.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive log data because the information is transmitted in plaintext over HTTP.
An attacker who intercepts this data could gain access to potentially sensitive information contained in the logs, which could be used for further attacks or data breaches.
To mitigate this risk, users should upgrade Apache APISIX to version 3.16.0, where the issue is fixed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the transmission of sensitive information in cleartext over HTTP by the tencent-cloud-cls log export functionality in Apache APISIX versions 2.99.0 through 3.15.0.
To detect this vulnerability on your network or system, you can monitor network traffic for unencrypted HTTP transmissions related to Apache APISIX log exports.
- Use packet capture tools like tcpdump or Wireshark to filter HTTP traffic on relevant ports and inspect for sensitive log data being transmitted in plaintext.
- Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and host <apisix-server-ip>'
- Use curl or similar tools to test the log export endpoint and check if the data is transmitted over HTTP instead of HTTPS.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache APISIX to version 3.16.0 or later, where this vulnerability is fixed.
Until the upgrade can be performed, avoid using the tencent-cloud-cls log export feature or ensure that log exports are not transmitted over unencrypted HTTP.
Additionally, consider implementing network-level protections such as firewall rules to restrict access to the log export endpoints and monitoring for suspicious traffic.