CVE-2026-31908
Published: 14 April 2026
Description
Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes…
more
the issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the header injection flaw in Apache APISIX by patching to version 3.16.0.
Mandates validation of inputs, including headers, to prevent injection attacks in the forward-auth plugin.
Ensures secure configuration settings for the forward-auth plugin to avoid enabling vulnerable configurations that allow header injection.
Security SummaryAI
CVE-2026-31908 is a header injection vulnerability in Apache APISIX, affecting versions from 2.12.0 through 3.15.0. The issue arises in the forward-auth plugin under certain configurations, allowing an attacker to inject malicious headers. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-75.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By leveraging the forward-auth plugin's configuration, they can inject malicious headers, potentially leading to high impacts on confidentiality and integrity, such as unauthorized data access or modification.
Apache advisories recommend upgrading to version 3.16.0, which resolves the issue. Further details are available in the Apache mailing list announcement at https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/04/14/3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Header injection vulnerability in public-facing Apache APISIX API gateway enables remote exploitation without privileges, directly mapping to T1190: Exploit Public-Facing Application.