Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Apache APISIX: Malicious Headers Injected via Forward-Auth Plugin
CVE-2026-31908
BIT-apisix-2026-31908
Summary
Apache APISIX users are at risk of having malicious headers injected into their system if they're using the forward-auth plugin and haven't upgraded to version 3.16.0 or later. This could allow an attacker to gain unauthorized access or disrupt service. To fix, update to the latest version of APISIX, specifically 3.16.0 or newer.
What to do
- Update apisix to version 3.16.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | apisix |
>= 2.12.0, < 3.16.0 Fix: upgrade to 3.16.0
|
Original title
Apache APISIX: forward auth plugin allows header injection
Original description
Header injection vulnerability in Apache APISIX.
The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.
This issue affects Apache APISIX: from 2.12.0 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.
This issue affects Apache APISIX: from 2.12.0 through 3.15.0.
Users are recommended to upgrade to version 3.16.0, which fixes the issue.
Vulnerability type
CWE-75
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 14 Apr 2026