Details of VAR-202606-3794

ID

VAR-202606-3794

CVE

CVE-2026-44046

TITLE

Apache Software Foundation of APISIX Vulnerability in using untrusted sources

Trust: 0.8

sources: JVNDB: JVNDB-2026-020770

DESCRIPTION

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue. An attacker could exploit this vulnerability in the default settings. 3.17.0 It is recommended to upgrade to .• The information handled by this software will not be leaked to external parties. • Some of the information handled by this software may be rewritten. • This software will not stop

Trust: 1.62

sources: NVD: CVE-2026-44046 // JVNDB: JVNDB-2026-020770

AFFECTED PRODUCTS

vendor:	apache	model:	apisix	scope:	lt	version:	3.17.0	Trust: 1.0
vendor:	apache	model:	apisix	scope:	gte	version:	1.2	Trust: 1.0
vendor:	apache	model:	apisix	scope:	eq	version:	1.2 that's all 3.17.0	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	apisix	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-020770 // NVD: CVE-2026-44046

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2026-44046
value:	MEDIUM
Trust: 1.0
security@apache.org:	CVE-2026-44046
value:	LOW
Trust: 1.0
NVD:	CVE-2026-44046
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2026-44046
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2026-44046
baseSeverity:	MEDIUM
baseScore:	5.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-020770 // NVD: CVE-2026-44046 // NVD: CVE-2026-44046

PROBLEMTYPE DATA

problemtype:	CWE-348	Trust: 1.0
problemtype:	Using Untrusted Sources (CWE-348) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-020770 // NVD: CVE-2026-44046

PATCH

title:

Apache APISIX

url:

https://lists.apache.org/thread/xkshmps51b24yw0qckl5h5ddyv0x6qf9

Trust: 0.8

sources: JVNDB: JVNDB-2026-020770

EXTERNAL IDS

db:	NVD	id:	CVE-2026-44046	Trust: 2.6
db:	OPENWALL	id:	OSS-SECURITY/2026/06/19/6	Trust: 1.0
db:	JVNDB	id:	JVNDB-2026-020770	Trust: 0.8

sources: JVNDB: JVNDB-2026-020770 // NVD: CVE-2026-44046

REFERENCES

url:	https://lists.apache.org/thread/xkshmps51b24yw0qckl5h5ddyv0x6qf9	Trust: 1.0
url:	http://www.openwall.com/lists/oss-security/2026/06/19/6	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-44046	Trust: 0.8

sources: JVNDB: JVNDB-2026-020770 // NVD: CVE-2026-44046

SOURCES

db:	JVNDB	id:	JVNDB-2026-020770
db:	NVD	id:	CVE-2026-44046

LAST UPDATE DATE

2026-06-26T23:20:07.356000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-020770	date:	2026-06-26T02:45:00
db:	NVD	id:	CVE-2026-44046	date:	2026-06-23T15:10:22.103

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-020770	date:	2026-06-26T00:00:00
db:	NVD	id:	CVE-2026-44046	date:	2026-06-19T14:16:22.070