What is CVE-2026-31908?

CVE-2026-31908 is a vulnerability in Apache Software Foundation Apisix, classified under CWE-75. Published 2026-04-14.

Is CVE-2026-31908 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Apisix

CVE-2026-31908

Header injection vulnerability in Apache APISIX. The attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers. This issue affects Apache APISIX: from 2.12.0 through 3.15.0. Users are recomme…

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Apisix — versions 2.12.0

Weakness classification (CWE)

CWE-75

Public proof-of-concept exploits

MehranTurk/CVE-2026-31908

References

lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b (vendor-advisory)

Frequently asked questions

What is CVE-2026-31908?: CVE-2026-31908 is a vulnerability in Apache Software Foundation Apisix, classified under CWE-75. Published 2026-04-14.
Is CVE-2026-31908 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.