{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31923", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-10T11:51:05.327Z", "datePublished": "2026-04-14T08:38:59.039Z", "dateUpdated": "2026-04-14T18:16:34.559Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache APISIX", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.15.0", "status": "affected", "version": "0.7", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Oleh Konko"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.</p>This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.<br><p>This issue affects Apache APISIX: from 0.7 through 3.15.0.</p><p>Users are recommended to upgrade to version 3.16.0, which fixes the issue.</p>"}], "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-14T08:38:59.039Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache APISIX: Openid-connect `tls_verify` field is disabled by default", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T09:36:04.697Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:14:22.121391Z", "id": "CVE-2026-31923", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:16:34.559Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T09:36:04.697Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:14:22.121391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:14:14.927Z"}}], "cna": {"title": "Apache APISIX: Openid-connect `tls_verify` field is disabled by default", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Oleh Konko"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache APISIX", "versions": [{"status": "affected", "version": "0.7", "versionType": "semver", "lessThanOrEqual": "3.15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.</p>This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.<br><p>This issue affects Apache APISIX: from 0.7 through 3.15.0.</p><p>Users are recommended to upgrade to version 3.16.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-14T08:38:59.039Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31923", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:16:34.559Z", "dateReserved": "2026-03-10T11:51:05.327Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-14T08:38:59.039Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue."}], "id": "CVE-2026-31923", "lastModified": "2026-04-14T19:16:34.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T09:16:35.817", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/14/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.7,3.15.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache APISIX", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "apisix", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T10:50:50.095507+00:00", "value": {"mitigation_remediation": ["Upgrade Apache APISIX to version 3.16.0 or later.", "If an upgrade is not immediately possible, enable ssl_verify by setting it to true in the OpenID\u2011Connect plugin configuration.", "Verify that all instances of the plugin are correctly configured with TLS verification enabled after making changes.", "Monitor network traffic to detect any inadvertent transmission of sensitive information.", "Review deployment documentation to confirm that future deployments do not rely on the default disabled setting."], "summary": {"action": "Immediate Patch", "impact": "Cleartext Transmission of Sensitive Information"}, "threat_synthesis": {"affected_systems": "Apache APISIX versions from 0.7 through 3.15.0 are affected. Any deployment that uses the OpenID\u2011Connect plugin without explicitly enabling ssl_verify is at risk.", "description_and_impact": "Apache APISIX's OpenID\u2011Connect plugin defaults the ssl_verify option to false, meaning sensitive data is sent over unsecured channels. This allows credentials and other confidential information to leave the system in clear text, exposing them to eavesdroppers. The weakness falls under the category of cleartext transmission of sensitive information, CWE\u2011319.", "risk_and_exploitability": "No EPSS score is available and the vulnerability is not listed as a Known Exploited Vulnerability, suggesting limited public exploitation to date. However, because the configuration disables TLS verification by default, an attacker who can observe network traffic or influence the plugin setup may be able to capture credentials. The severity depends on the deployment; systems that route authentication traffic over insecure networks face a higher risk."}}}}, "created": "2026-04-14T16:15:45.827997+00:00", "updated": "2026-04-14T16:30:42.817980+00:00", "vendors": ["apache", "apache$PRODUCT$apisix"]}