CVE-2026-31908 PUBLISHED

Apache APISIX: forward auth plugin allows header injection

Assigner: apache
Reserved: 10.03.2026 Published: 14.04.2026 Updated: 14.04.2026

Header injection vulnerability in Apache APISIX.

The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0.

Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache APISIX
Versions	Default: unaffected affected from 2.12.0 to 3.15.0 (incl.)

Credits

SeungMyung Lee reporter

References

https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b

Problem Types

CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE