CVE-2026-44087
Received Received - Intake
Insufficient Verification of Data Authenticity in Apache APISIX

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-44087
EUVD
EUVD-2026-38017
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache apisix From 2.3 (inc) to 3.16.0 (inc)
apache apisix 3.17.0
apache apisix 3.16.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44087 is an Insufficient Verification of Data Authenticity vulnerability in Apache APISIX, specifically affecting the openid-connect plugin under its default configuration.

This vulnerability allows an attacker to spoof identity headers, which means the attacker can impersonate legitimate users or entities.

As a result, the attacker can gain unauthorized access to protected resources that should normally require proper authentication.

Impact Analysis

This vulnerability can lead to unauthorized access to protected resources within systems using Apache APISIX versions 2.3 through 3.16.0 with the openid-connect plugin under default settings.

Attackers exploiting this flaw can bypass authentication controls by spoofing identity headers, potentially accessing sensitive data or performing actions they are not authorized to do.

This can compromise the confidentiality and integrity of your system's data and services.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache APISIX to version 3.17.0 or later, which contains the fix for the insufficient verification of data authenticity issue in the openid-connect plugin.

Compliance Impact

The vulnerability allows attackers to spoof identity headers and gain unauthorized access to protected resources, which could lead to unauthorized data access.

Such unauthorized access may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart