CVE-2026-39998
Received Received - Intake
Improper Input Validation in Apache APISIX

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
Improper Input Validation vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to spoof identity headers. This issue affects Apache APISIX: from 2.12.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-39998
EUVD
EUVD-2026-38011
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache apisix From 2.12.0 (inc) to 3.16.0 (inc)
apache apisix 3.17.0
apache apisix 3.16.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper input validation issue in the Apache APISIX forward-auth plugin. It allows an attacker to exploit certain configurations to spoof identity headers.

The flaw affects Apache APISIX versions from 2.12.0 through 3.16.0 and is fixed in version 3.16.1 (or 3.17.0 as per the description).

Impact Analysis

An attacker exploiting this vulnerability can spoof identity headers, potentially impersonating other users or services.

This can lead to unauthorized access or actions within systems relying on Apache APISIX for authentication or identity verification.

Mitigation Strategies

To mitigate the CVE-2026-39998 vulnerability, users should upgrade Apache APISIX to version 3.17.0 or later, where the issue is fixed.

This vulnerability arises from improper input validation in the forward-auth plugin, allowing attackers to spoof identity headers if certain configurations are used.

Therefore, upgrading to the fixed version is the recommended immediate step to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart