{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31923", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-10T11:51:05.327Z", "datePublished": "2026-04-14T08:38:59.039Z", "dateUpdated": "2026-04-14T18:16:34.559Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache APISIX", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.15.0", "status": "affected", "version": "0.7", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Oleh Konko"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.</p>This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.<br><p>This issue affects Apache APISIX: from 0.7 through 3.15.0.</p><p>Users are recommended to upgrade to version 3.16.0, which fixes the issue.</p>"}], "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-14T08:38:59.039Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache APISIX: Openid-connect `tls_verify` field is disabled by default", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T09:36:04.697Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:14:22.121391Z", "id": "CVE-2026-31923", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:16:34.559Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T09:36:04.697Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:14:22.121391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:14:14.927Z"}}], "cna": {"title": "Apache APISIX: Openid-connect `tls_verify` field is disabled by default", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Oleh Konko"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache APISIX", "versions": [{"status": "affected", "version": "0.7", "versionType": "semver", "lessThanOrEqual": "3.15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.</p>This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.<br><p>This issue affects Apache APISIX: from 0.7 through 3.15.0.</p><p>Users are recommended to upgrade to version 3.16.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-14T08:38:59.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31923", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:16:34.559Z", "dateReserved": "2026-03-10T11:51:05.327Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-14T08:38:59.039Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue."}], "id": "CVE-2026-31923", "lastModified": "2026-04-14T19:16:34.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T09:16:35.817", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.7,3.15.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache APISIX", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apisix", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T21:22:26.784867+00:00", "value": {"mitigation_remediation": ["Upgrade Apache APISIX to version 3.16.0 or later", "If upgrading is not immediately possible, set ssl_verify to true in the OpenID\u2011Connect plugin configuration", "Verify the change by ensuring TLS verification is enforced on all authentication requests", "Monitor network traffic for signs of cleartext credential transmission", "Apply any additional vendor patches or updates as they become available"], "summary": {"action": "Immediate Patch", "impact": "Cleartext transmission of sensitive information"}, "threat_synthesis": {"affected_systems": "Apache APISIX deployments from version 0.7 through 3.15.0 are affected, provided the OpenID\u2011Connect plugin is in use and has not been explicitly configured to enable ssl_verify. Users of earlier or later releases, or those that have overridden ssl_verify to true, are not impacted.", "description_and_impact": "The vulnerability arises when the OpenID\u2011Connect plugin for Apache APISIX is installed with its ssl_verify setting left to the default of false, which disables TLS verification. This allows confidential data, including authentication tokens and other sensitive payloads, to be sent in cleartext across the network. The flaw is a classic cleartext transmission vulnerability (CWE\u2011319). An attacker who can observe traffic to the APISIX gateway could thus intercept or modify information that should otherwise be protected by transport layer security.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity, but the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers could exploit the weakness remotely by sending requests to the plugin\u2019s endpoints from any location with network access to a publicly reachable APISIX gateway; the requirement that the plugin be in its default configuration limits the attack surface to installations that have not applied the vendor\u2019s recommended upgrade or reconfigured ssl_verify."}}}}, "created": "2026-04-14T16:15:45.827997+00:00", "updated": "2026-04-15T15:30:06.831115+00:00", "vendors": ["apache", "apache$PRODUCT$apisix"]}