Sign-up

ID

VAR-202604-1987


CVE

CVE-2026-31923


DESCRIPTION

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Trust: 1.0

sources: NVD: CVE-2026-31923

AFFECTED PRODUCTS

vendor:apachemodel:apisixscope:ltversion:3.16.0

Trust: 1.0

vendor:apachemodel:apisixscope:gteversion:0.7

Trust: 1.0

sources: NVD: CVE-2026-31923

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2026-31923
value: HIGH

Trust: 1.0

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2026-31923
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: NVD: CVE-2026-31923

PROBLEMTYPE DATA

problemtype:CWE-319

Trust: 1.0

sources: NVD: CVE-2026-31923

EXTERNAL IDS

db:OPENWALLid:OSS-SECURITY/2026/04/14/1

Trust: 1.0

db:NVDid:CVE-2026-31923

Trust: 1.0

sources: NVD: CVE-2026-31923

REFERENCES

url:https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds

Trust: 1.0

url:http://www.openwall.com/lists/oss-security/2026/04/14/1

Trust: 1.0

sources: NVD: CVE-2026-31923

SOURCES

db:NVDid:CVE-2026-31923

LAST UPDATE DATE

2026-04-18T23:29:49.993000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2026-31923date:2026-04-17T18:39:45.377

SOURCES RELEASE DATE

db:NVDid:CVE-2026-31923date:2026-04-14T09:16:35.817