Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Apache APISIX Exposes Sensitive Information When Not Using HTTPS
CVE-2026-31923
Summary
Apache APISIX versions 0.7 through 3.15.0 transmit sensitive information in plain text when using the OpenID Connect plugin without HTTPS encryption. This means that sensitive data could be intercepted by unauthorized parties. To fix this, upgrade to version 3.16.0, which includes a patch to prevent this issue.
Original title
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.
This issue ...
Original description
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.
This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.
This issue affects Apache APISIX: from 0.7 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.
This issue affects Apache APISIX: from 0.7 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Vulnerability type
CWE-319
Cleartext Transmission of Sensitive Information
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026