CVE-2026-44915
Received Received - Intake
Open Redirect in Apache APISIX via cas-auth

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phishing and credential theft. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-44915
EUVD
EUVD-2026-38018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apisix From 3.0.0 (inc) to 3.16.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Apache APISIX's cas-auth plugin allows for open redirect attacks that can lead to phishing and credential theft.

Such security issues can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and credentials against unauthorized access and phishing attacks.

Failure to address this vulnerability could result in non-compliance due to potential data breaches or compromise of user credentials.

Upgrading to version 3.17.0 or later is recommended to mitigate these risks and help maintain compliance.

Executive Summary

CVE-2026-44915 is an Open Redirect vulnerability in the cas-auth plugin of Apache APISIX versions 3.0.0 through 3.16.0.

The issue arises because unsanitized cookie values allow attackers to redirect users to untrusted sites.

This can be exploited to perform phishing attacks or steal user credentials.

Impact Analysis

This vulnerability can lead to phishing attacks where users are redirected to malicious websites.

It can also result in credential theft if attackers trick users into submitting sensitive information on these untrusted sites.

Mitigation Strategies

To mitigate the CVE-2026-44915 vulnerability in Apache APISIX, users should upgrade their Apache APISIX installation to version 3.17.0 or later.

This upgrade addresses the open redirect flaw in the cas-auth plugin caused by unsanitized cookie values, which could otherwise be exploited for phishing or credential theft.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44915. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart