Description
Problem Description
https://mp.weixin.qq.com/s/zsv3QpTipcnjvpWK7kZ6sw
The Apache APISIX security advisory published on June 19, 2026 states that 3.16.1 is the fixed version for four CVEs (CVE-2026-39998, CVE-2026-39999, CVE-2026-44046, CVE-2026-44087), and explicitly recommends users who "cannot immediately upgrade to 3.17.0" to "at least upgrade to 3.16.1."
However, upon verification:
- GitHub Releases shows 3.16.0 as the latest version
- Docker Hub has no 3.16.1 tag
- Official download channels do not provide version 3.16.1
Requests
- What is the concrete release timeline for 3.16.1? Is there a published date or ETA?
- Why was the advisory published before the release? Is this expected process, or is there a release pipeline blockage?
Environment
- APISIX version (run
apisix version):
- Operating system (run
uname -a):
- OpenResty / Nginx version (run
openresty -V or nginx -V):
- etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):
Description
Problem Description
The Apache APISIX security advisory published on June 19, 2026 states that 3.16.1 is the fixed version for four CVEs (CVE-2026-39998, CVE-2026-39999, CVE-2026-44046, CVE-2026-44087), and explicitly recommends users who "cannot immediately upgrade to 3.17.0" to "at least upgrade to 3.16.1."
However, upon verification:
Requests
Environment
apisix version):uname -a):openresty -Vornginx -V):curl http://127.0.0.1:9090/v1/server_info):luarocks --version):