Details of VAR-202606-3793

ID

VAR-202606-3793

CVE

CVE-2026-44087

TITLE

Apache Software Foundation of APISIX Inadequate validation of data reliability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-020769

DESCRIPTION

Insufficient Verification of Data Authenticity vulnerability in Apache APISIX. The openid-connect plugin under default configuration has an attack surface that allows the attacker to spoof identity headers allowing the attacker to get unauthorized access the protected resources. This issue affects Apache APISIX: from 2.3 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. 3.17.0 It is recommended to upgrade to .- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop

Trust: 1.62

sources: NVD: CVE-2026-44087 // JVNDB: JVNDB-2026-020769

AFFECTED PRODUCTS

vendor:	apache	model:	apisix	scope:	gte	version:	2.3	Trust: 1.0
vendor:	apache	model:	apisix	scope:	lt	version:	3.17.0	Trust: 1.0
vendor:	apache	model:	apisix	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	2.3 that's all 3.17.0	Trust: 0.8
vendor:	apache	model:	apisix	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-020769 // NVD: CVE-2026-44087

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-44087
value:	CRITICAL
Trust: 1.0
security@apache.org:	CVE-2026-44087
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2026-44087
value:	CRITICAL
Trust: 0.8

nvd@nist.gov:	CVE-2026-44087
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	5.2
version:	3.1
Trust: 1.0
NVD:	CVE-2026-44087
baseSeverity:	CRITICAL
baseScore:	9.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-020769 // NVD: CVE-2026-44087 // NVD: CVE-2026-44087

PROBLEMTYPE DATA

problemtype:	CWE-345	Trust: 1.0
problemtype:	Inadequate verification of data reliability (CWE-345) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-020769 // NVD: CVE-2026-44087

PATCH

title:

Apache APISIX

url:

https://lists.apache.org/thread/72ryrgdssk6s2x9d6xn14bxyyl878xfm

Trust: 0.8

sources: JVNDB: JVNDB-2026-020769

EXTERNAL IDS

db:	NVD	id:	CVE-2026-44087	Trust: 2.6
db:	OPENWALL	id:	OSS-SECURITY/2026/06/19/7	Trust: 1.0
db:	JVNDB	id:	JVNDB-2026-020769	Trust: 0.8

sources: JVNDB: JVNDB-2026-020769 // NVD: CVE-2026-44087

REFERENCES

url:	https://lists.apache.org/thread/72ryrgdssk6s2x9d6xn14bxyyl878xfm	Trust: 1.0
url:	http://www.openwall.com/lists/oss-security/2026/06/19/7	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-44087	Trust: 0.8

sources: JVNDB: JVNDB-2026-020769 // NVD: CVE-2026-44087

SOURCES

db:	JVNDB	id:	JVNDB-2026-020769
db:	NVD	id:	CVE-2026-44087

LAST UPDATE DATE

2026-06-26T23:29:57.111000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-020769	date:	2026-06-26T02:45:00
db:	NVD	id:	CVE-2026-44087	date:	2026-06-23T15:11:13.803

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-020769	date:	2026-06-26T00:00:00
db:	NVD	id:	CVE-2026-44087	date:	2026-06-19T14:16:22.200