CVE-2026-31908

Name of the Vulnerable Software and Affected Versions Apache APISIX versions 2.12.0 through 3.15.0

Description A header injection issue exists in the forward-auth plugin due to improper neutralization of CRLF sequences (Carriage Return Line Feed, a special sequence of characters used to mark the end of a line of text). A remote attacker can exploit this by sending specially crafted HTTP requests to inject malicious headers, potentially bypassing security mechanisms and gaining unauthorized access to protected information.

Recommendations Upgrade to version 3.16.0.