CVE-2026-48895
Received Received - Intake
Open Redirect Vulnerability in Apache APISIX

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The attacker could manipulate some client headers to perform an open-redirect, to potentially expose the session token. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-48895
EUVD
EUVD-2026-38023
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache apisix From 3.0.0 (inc) to 3.16.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is an Open Redirect issue that could potentially expose session tokens by manipulating client headers. Exposure of session tokens may lead to unauthorized access or data breaches.

Such exposure could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of authentication credentials.

However, the provided information does not explicitly discuss the impact on compliance with these standards.

Executive Summary

CVE-2026-48895 is an Open Redirect vulnerability in Apache APISIX versions 3.0.0 through 3.16.0.

An attacker can manipulate certain client headers, such as the Host header, to cause the application to redirect users to an untrusted external site.

This manipulation can potentially expose the user's session token, leading to security risks.

Impact Analysis

This vulnerability can allow attackers to redirect users to malicious websites by exploiting manipulated client headers.

Such redirection can lead to exposure of session tokens, which may result in unauthorized access to user accounts or sensitive information.

Users of affected Apache APISIX versions may face increased risk of session hijacking or phishing attacks.

Detection Guidance

This vulnerability involves manipulation of client headers, specifically the Host header, to perform an open redirect in Apache APISIX versions 3.0.0 through 3.16.0.

To detect this vulnerability on your system, you can test if the server redirects requests based on manipulated Host headers.

  • Use curl to send a request with a modified Host header and observe if the response redirects to an untrusted site. For example: curl -I -H "Host: malicious.example.com" http://your-apisix-server/
  • Monitor network traffic for unexpected redirects or unusual Host header values in requests.
Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade Apache APISIX to version 3.17.0 or later, where the issue has been fixed.

Until the upgrade can be performed, consider implementing strict validation of client headers, especially the Host header, to prevent manipulation that could lead to open redirects.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart