CVE-2026-31923

High

Published: 14 April 2026

Published

14 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 11.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31923 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Apache Apisix. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match

prevent

Requires protection of the confidentiality of transmitted information, directly preventing cleartext exposure of sensitive data due to disabled SSL certificate verification in the openid-connect plugin.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings for system components, such as enforcing ssl_verify=true in Apache APISIX openid-connect plugin to enable TLS verification.

SI-2 Flaw Remediation good match

prevent

Directs identification, reporting, and correction of flaws like CVE-2026-31923 through timely patching to Apache APISIX version 3.16.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1040 Network Sniffing Credential Access

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.

attack.mitre.org →

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

CVE describes remote exploitation of public-facing APISIX (T1190) due to disabled SSL verification in openid-connect plugin, directly enabling network sniffing (T1040) and adversary-in-the-middle interception (T1557) of cleartext sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to…

version 3.16.0, which fixes the issue.

Deeper analysisAI

CVE-2026-31923 is a Cleartext Transmission of Sensitive Information vulnerability (CWE-319) in Apache APISIX, caused by the `ssl_verify` option in the openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX versions from 0.7 through 3.15.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to significant confidentiality impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation enables interception and disclosure of sensitive information transmitted in cleartext, without impacting integrity or availability.

Apache advisories recommend upgrading to version 3.16.0, which fixes the issue. Additional details are provided in the Apache mailing list thread at https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds and the oss-security announcement at http://www.openwall.com/lists/oss-security/2026/04/14/1.

Details

CWE(s): CWE-319

Affected Products

apache

apisix

0.7 — 3.16.0

CVEs Like This One

CVE-2026-31908Same product: Apache Apisix

CVE-2026-24281Same vendor: Apache

CVE-2026-24734Same vendor: Apache

CVE-2024-55532Same vendor: Apache

CVE-2025-54466Same vendor: Apache

CVE-2026-40466Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2025-68637Same vendor: Apache

CVE-2026-24343Same vendor: Apache

CVE-2025-66614Same vendor: Apache

References

https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/14/1
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108