CVE-2026-31923

HIGH7.5EPSS 0.04%

Apache APISIX: Openid-connect `tls_verify` field is disabled by default

Published: 4/16/2026Modified: 4/17/2026

Also known as:BIT-apisix-2026-31923

Description

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue.

Affected packages (1)

Bitnami/apisix>= 0.7.0, < 3.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

WEBhttps://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-31923
WEBhttp://www.openwall.com/lists/oss-security/2026/04/14/1