Cyber Resilience

CVE-2026-31923

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 14.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31923 is a high-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Apache Apisix. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2026-31923 is a Cleartext Transmission of Sensitive Information vulnerability (CWE-319) in Apache APISIX, caused by the `ssl_verify` option in the openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX versions from 0.7 through 3.15.0. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to significant confidentiality impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation enables interception and disclosure of sensitive information transmitted in cleartext, without impacting integrity or availability.

Apache advisories recommend upgrading to version 3.16.0, which fixes the issue. Additional details are provided in the Apache mailing list thread at https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds and the oss-security announcement at http://www.openwall.com/lists/oss-security/2026/04/14/1.

EU & UK References

Vulnerability details

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default. This issue affects Apache APISIX: from 0.7 through 3.15.0. Users are recommended to upgrade to…

more

version 3.16.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

CVE describes remote exploitation of public-facing APISIX (T1190) due to disabled SSL verification in openid-connect plugin, directly enabling network sniffing (T1040) and adversary-in-the-middle interception (T1557) of cleartext sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31908Same product: Apache Apisix
CVE-2026-24281Same vendor: Apache
CVE-2026-24734Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache

Affected Assets

apache
apisix
0.7 — 3.16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires protection of the confidentiality of transmitted information, directly preventing cleartext exposure of sensitive data due to disabled SSL certificate verification in the openid-connect plugin.

prevent

Mandates secure configuration settings for system components, such as enforcing ssl_verify=true in Apache APISIX openid-connect plugin to enable TLS verification.

prevent

Directs identification, reporting, and correction of flaws like CVE-2026-31923 through timely patching to Apache APISIX version 3.16.0.

References