Primary

Context

Apache APISIX Cleartext Transmission of Sensitive Information Vulnerability in OpenID Connect Plugin

Vulnerability

Patched

A vulnerability allowing cleartext transmission of sensitive information exists in Apache APISIX versions 0.7 through 3.15.0. This issue arises because the 'ssl_verify' option in the OpenID Connect plugin is set to false by default, potentially exposing sensitive data during transmission.

Impact

Exploitation of this vulnerability could lead to the interception of sensitive information transmitted in cleartext, such as authentication tokens or user data, which could be exploited in various ways depending on the intercepted information.

Remediation

Users are advised to upgrade to Apache APISIX version 3.16.0 or later, where this issue has been addressed.

Added: Apr 14, 2026, 9:32 AM

Updated: Apr 14, 2026, 9:32 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

6.4

remediation

7.7

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache APISIX Cleartext Transmission of Sensitive Information Vulnerability in OpenID Connect Plugin

Vulnerability

Impact

Remediation

Affected Products

Apache APISIX

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating