Apache APISIX default token (CVE-2020-13945/CVE-2022-24112) - Vulnerability Database

Apache APISIX default token (CVE-2020-13945/CVE-2022-24112)

Description

Apache APISIX versions affected by CVE-2020-13945 and CVE-2022-24112 ship with a default administrative access token that is publicly known and unchanged in many deployments. This default credential allows unauthorized access to the Admin API, which provides full control over the API gateway's configuration, routes, plugins, and upstream services. Attackers can exploit this weakness to gain administrative privileges without authentication.

Remediation

Immediately change the default Admin API access token to a strong, randomly generated value. Update the configuration file (typically config.yaml or conf/config.yaml) and modify the apisix.admin_key section:

apisix:
  admin_key:
    - name: admin
      key: YOUR_SECURE_RANDOM_TOKEN_HERE  # Replace with a strong random token
      role: admin

Generate a cryptographically secure token using a tool like openssl rand -hex 32. Additionally, restrict network access to the Admin API (default port 9180) using firewall rules or bind it to localhost only if remote access is not required. After making changes, restart the APISIX service and verify the new token is required for Admin API access. Review access logs for any suspicious activity that may have occurred while the default token was active.