CVE-2026-44046

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to…

apache·CWE-348·Published 2026-06-19

CVSS

—

EPSS

—

KEV

Exploits

Vendor statements (1)

lists.apache.org

cve.orgen

377 chars

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the issue.

Version	Type	Source	Base	Exp	Impact	Vector
4.0	Primary	cve.org	2.3	—	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
4.0	Secondary	ENISA EUVD	2.3	—	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CVE-2026-44046

Vendor statements (1)

CVSS metrics across sources