CVE-2026-31908

CRITICAL

Apache APISIX: forward auth plugin allows header injection

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-31908. PoCs published by adminlove520, MehranTurk.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-31908, targeting Apache APISIX header injection vulnerabilities. The PoC includes detection, header injection testing, and authentication bypass attempts using CRLF injection techniques.

Description

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Exploits (2)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-31908

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-31908, targeting Apache APISIX header injection vulnerabilities. The PoC includes detection, header injection testing, and authentication bypass attempts using CRLF injection techniques.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache APISIX

No auth needed

Prerequisites: network access to target APISIX instance · knowledge of protected endpoints

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 11, 2026 Full analysis →

nomisec WORKING POC 1 stars

by MehranTurk · poc

https://github.com/MehranTurk/CVE-2026-31908

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2026-31908, targeting Apache APISIX header injection vulnerabilities. It includes payloads for CRLF injection and authentication bypass techniques, with clear execution logic and response handling.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache APISIX

No auth needed

Prerequisites: target URL with APISIX server · accessible admin endpoints

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 20, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/14/3

Scores

CVSS v3 9.1

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-75

Status published

Products (2)

apache/apisix 2.12.0 - 3.16.0

Apache Software Foundation/Apache APISIX 2.12.0 - 3.15.0

Published Apr 14, 2026

Tracked Since Apr 14, 2026