Primary

Context

Apache APISIX Header Injection Vulnerability in Forward Auth Plugin

Vulnerability

Patched

A header injection vulnerability has been identified in Apache APISIX versions 2.12.0 prior to 3.15.0. This issue arises in the forward-auth plugin, where an attacker can inject malicious headers by exploiting certain configurations. Users are advised to upgrade to version 3.16.0, which addresses this vulnerability.

Impact

Exploitation of this vulnerability allows for header injection, which could be used to manipulate or spoof HTTP headers in requests.

Remediation

Users are recommended to upgrade to Apache APISIX version 3.16.0, which fixes this vulnerability.

Added: Apr 14, 2026, 9:28 AM

Updated: Apr 14, 2026, 9:28 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

5.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.6

remediation

7.7

relevance

5.9

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache APISIX Header Injection Vulnerability in Forward Auth Plugin

Vulnerability

Impact

Remediation

Affected Products

Apache APISIX

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating