CVE-2026-44087 Apache Software Foundation CVE debrief

Who should care

Organizations using Apache APISIX versions between 2.3 and 3.16.0 should prioritize upgrading to version 3.17.0. Specifically, security teams and administrators responsible for API management and authentication should be aware of this vulnerability and take immediate action to mitigate the risk of unauthorized access to protected resources.

Technical summary

The openid-connect plugin in Apache APISIX has an insufficient verification of data authenticity vulnerability. This allows attackers to spoof identity headers, potentially leading to unauthorized access to protected resources. The vulnerability is due to the plugin's default configuration and affects Apache APISIX versions from 2.3 through 3.16.0. The issue is fixed in version 3.17.0. The CVSS:4.0 vector is AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Upgrade to version 3.17.0 to fix the vulnerability and prevent unauthorized access.

Recommended defensive actions

• Upgrade Apache APISIX to version 3.17.0
• Review and adjust the openid-connect plugin configuration
• Monitor for suspicious activity related to identity headers
• Implement compensating controls for authentication and authorization
• Inventory and track API management systems for compliance

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and the NVD detail page. The vulnerability affects Apache APISIX versions from 2.3 to 3.16.0. Defenders should verify the version of Apache APISIX in use and confirm if it is within the affected range. Official sources, such as the Apache security mailing list and Openwall, provide additional context and references.

Official resources