CVE-2026-44046— Apache APISIX: wolf-rbac plugin Identity Spoofing
Possible ATT&CK Techniques 1AI
T1199 · Trusted RelationshipAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 1.2.0≤ 3.16.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44046
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache APISIX: wolf-rbac plugin Identity Spoofing
Source: NVD (National Vulnerability Database)
Vulnerability Description
Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用不可信的源
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 1.2.0 ~ 3.16.0 | - |
II. Public POCs for CVE-2026-44046
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44046
请登录查看更多情报信息。
Mailing List Discussions for CVE-2026-44046 (1)
Same Patch Batch · Apache Software Foundation · 2026-06-19 · 12 CVEs total
| CVE-2026-49872 | Apache APISIX: Improper authentication in cas-auth plugin | |
| CVE-2026-49871 | Apache APISIX: cas-auth login CSRF / session injection issue | |
| CVE-2026-47341 | Apache APISIX: Session replay issue in hmac-auth | |
| CVE-2026-48895 | Apache APISIX: Cas-auth Host header influence on CAS service URL | |
| CVE-2026-49231 | Apache APISIX: Identity spoofing issue in APISIX opa plugin | |
| CVE-2026-49230 | Apache APISIX: Authentication bypass in jwe-decrypt | |
| CVE-2026-44915 | Apache APISIX: Cas-auth plugin open redirect via unsanitized cookie value | |
| CVE-2026-44087 | Apache APISIX: Openid-connect plugin Identity Header Spoofing | |
| CVE-2026-47339 | Apache APISIX: authz-casdoor incorrect session sharing | |
| CVE-2026-39999 | Apache APISIX: JWT Algorithm Confusion allows authentication bypass | |
| CVE-2026-39998 | Apache APISIX: Identity Injection via forward-auth Plugin Missing Header Cleanup |
IV. Related Vulnerabilities
Same product: Apache APISIX
- CVE-2026-49872
Apache APISIX: Improper authentication in cas-auth plugin - CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin
Same vendor: Apache Software Foundation
- CVE-2026-49872
Apache APISIX: Improper authentication in cas-auth plugin - CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue - CVE-2026-47341
Apache APISIX: Session replay issue in hmac-auth - CVE-2026-48895
Apache APISIX: Cas-auth Host header influence on CAS service - CVE-2026-49231
Apache APISIX: Identity spoofing issue in APISIX opa plugin
Same weakness: CWE-348
V. Comments for CVE-2026-44046
No comments yet