Description
Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX: from 3.5.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Problem types
CWE-290 Authentication Bypass by Spoofing
Product status
3.5.0 (semver)
Credits
lokerxxx
References
www.openwall.com/lists/oss-security/2026/06/19/13
lists.apache.org/thread/s1jd1vxm59p6ghx47xhmpjdk1cobo4hn