CVE-2026-49872
Received Received - Intake
Improper Authentication in Apache APISIX

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49872
EUVD
EUVD-2026-38026
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache apisix From 3.0.0 (inc) to 3.16.0 (inc)
apache apisix 3.17.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49872 is an improper authentication vulnerability in the Apache APISIX software, specifically affecting the cas-auth plugin in versions 3.0.0 through 3.16.0.

This vulnerability allows an attacker to authenticate themselves using credentials from a different source than intended, potentially bypassing normal authentication controls.

The issue is fixed in Apache APISIX version 3.17.0, and users are recommended to upgrade to this version to mitigate the vulnerability.

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized access by authenticating with credentials from an unintended source.

Such unauthorized access could lead to potential misuse of the system, data exposure, or other security breaches depending on the privileges granted to the attacker.

Mitigation Strategies

To mitigate the CVE-2026-49872 vulnerability in Apache APISIX, users should upgrade their Apache APISIX installation to version 3.17.0 or later, as this version contains the fix for the improper authentication issue in the cas-auth plugin.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart