CVE-2026-49872— Apache APISIX: Improper authentication in cas-auth plugin
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 3.0.0≤ 3.16.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49872
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache APISIX: Improper authentication in cas-auth plugin
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 3.0.0 ~ 3.16.0 | - |
II. Public POCs for CVE-2026-49872
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49872
请登录查看更多情报信息。
Mailing List Discussions for CVE-2026-49872 (1)
Same Patch Batch · Apache Software Foundation · 2026-06-19 · 12 CVEs total
| CVE-2026-49871 | Apache APISIX: cas-auth login CSRF / session injection issue | |
| CVE-2026-47341 | Apache APISIX: Session replay issue in hmac-auth | |
| CVE-2026-48895 | Apache APISIX: Cas-auth Host header influence on CAS service URL | |
| CVE-2026-49231 | Apache APISIX: Identity spoofing issue in APISIX opa plugin | |
| CVE-2026-49230 | Apache APISIX: Authentication bypass in jwe-decrypt | |
| CVE-2026-44915 | Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value | |
| CVE-2026-44087 | Apache APISIX: Openid-connect plugin Identity Header Spoofing | |
| CVE-2026-47339 | Apache APISIX: authz-casdoor incorrect session sharing | |
| CVE-2026-44046 | Apache APISIX: wolf-rbac plugin Identity Spoofing | |
| CVE-2026-39999 | Apache APISIX: JWT Algorithm Confusion allows authentication bypass | |
| CVE-2026-39998 | Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup |
IV. Related Vulnerabilities
Same product: Apache APISIX
- CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin - CVE-2026-49230
Apache APISIX: Authentication bypass in jwe-decrypt
Same vendor: Apache Software Foundation
- CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin - CVE-2026-49230
Apache APISIX: Authentication bypass in jwe-decrypt
Same weakness: CWE-287
- CVE-2026-56080
Cap-go - Authentication Logic Flaw in Enforce Password Polic - CVE-2026-45480
Azure Active Directory Elevation of Privilege Vulnerability - CVE-2026-50559
Authentication/Authorization Bypass via Advanced Path Normal - CVE-2026-32174
Azure Bot Service Elevation of Privilege Vulnerability - CVE-2026-49454
Relyra SAML SignatureValue not cryptographically verified ->
V. Comments for CVE-2026-49872
No comments yet