CVE-2026-49871
Apache APISIX: cas-auth login CSRF / session injection issue
Description
Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations. This defect allows a remote attacker that manages to send a victim to a webpage controlled by them can cause the victim's browser to become authenticated as a different identity. Actions the victim takes upstream are then attributed to attackers identity. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.
INFO
Published Date :
June 19, 2026, 1:18 p.m.
Last Modified :
June 19, 2026, 1:18 p.m.
Remotely Exploit :
Yes !
Source :
apache
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | LOW | f0158376-9dc2-43b6-827c-5f631a4d8d09 | ||||
| CVSS 4.0 | LOW | [email protected] |
Solution
- Upgrade Apache APISIX to version 3.17.0 or later.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-49871 vulnerability anywhere in the article.