Apache APISIX fixes header injection and plaintext log export flaws
Apache disclosed two moderate-severity vulnerabilities in APISIX affecting multiple 2.x and 3.x releases, and urged users to upgrade to version 3.16.0. CVE-2026-31908 affects the forward-auth plugin in certain configurations and allows an attacker to inject malicious headers in APISIX versions 2.12.0 through 3.15.0.
Apache also disclosed CVE-2026-31924, a cleartext transmission flaw in the tencent-cloud-cls log export plugin that sends sensitive information over plaintext HTTP in versions 2.99.0 through 3.15.0. The issues were reported by SeungMyung Lee and Oleh Konko, respectively, and were announced on the oss-sec mailing list by Abhishek Choudhary.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache publicly discloses two APISIX vulnerabilities on oss-sec
On the oss-sec mailing list, Abhishek Choudhary disclosed CVE-2026-31908 and CVE-2026-31924 affecting Apache APISIX. CVE-2026-31908 was credited to SeungMyung Lee, while CVE-2026-31924 was credited to Oleh Konko.
Apache APISIX fixes CVE-2026-31908 and CVE-2026-31924 in version 3.16.0
Apache addressed two moderate-severity vulnerabilities in APISIX by recommending an upgrade to version 3.16.0. The flaws affected APISIX versions up to 3.15.0, including a forward-auth header injection issue and plaintext HTTP use in the tencent-cloud-cls log export plugin.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-31924: Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
seclists.org
Open sourceoss-sec: CVE-2026-31908: Apache APISIX: forward auth plugin allows header injection
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Apache Syncope Patches XSS and XXE Flaws Enabling Session Hijacking and Data Leakage
The Apache Software Foundation released security updates for *Apache Syncope* to address vulnerabilities that could enable **session hijacking** and **sensitive data exposure** in identity-management deployments. One issue, **CVE-2026-23794**, is a **reflected XSS** flaw in the **Enduser Login** page where an attacker can trick a user into clicking a crafted link, leading to arbitrary JavaScript execution in the victim’s browser and potential theft of session cookies or actions performed as the user. A second issue, **CVE-2026-23795**, is an **XML External Entity (XXE)** vulnerability in the **Syncope Console** related to creating/editing **Keymaster parameters**; it requires an attacker to have (or obtain) administrator-level entitlements, but can then be used to submit malicious XML to trigger data leakage and potentially facilitate session compromise. Reported affected versions include **3.0–3.0.15** and **4.0–4.0.3**, with fixes available in **3.0.16** and **4.0.4**; organizations running impacted releases are advised to upgrade promptly, particularly given Syncope’s role in authentication and access control.
Mar 21, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026