Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Q1-2023 API ThreatStats™ Report

There’s a big blind spot in your API security posture if you’re only focused on protecting your public-facing APIs. Find out why in our latest API ThreatStats™ report infographic.

Thanks for filling out the form!
The resource link will open in the new tab. If its not, please follow this link
Oops! Something went wrong while submitting the form.

According to a Mar-2022 API survey by Gartner, 98% of organizations use or are planning to use internal APIs – up from 88% in 2019. And 90% of organizations use or are planning to use private APIs provided by partners – up from 68% in 2019.

Obviously, there’s a big blind spot in your API security posture if you’re only focused on protecting your public-facing APIs. This is backed up by our latest findings, which you can find in the Q1-2023 API ThreatStats™ report infographic.

The initial analysis the API vulnerabilities publicly released in Q1-2023 suggests a continued slow rise in the number, while the severity remains in the High range. But as we’ve seen in previous reports, what’s hidden beneath the surface is that will bite you.

Key Takeaways

As always, digging deeper into the data provides us with a better view of where these API vulnerabilities will impact defenders and builders alike.

Protect Your Private APIs

Defending your internal infrastructure continues to be job #1.

Q1-2023 saw a big rise in security vulnerabilities found in key components of internal processes, such in SAP NetWeaver AS for Java (CVE-2023-0017) and NVIDIA’s graphics cards (CVE-2022-42279). In all, our top-10 Most Impactful API vulnerabilities all fell in the internal infrastructure categories – Dev Tools, Enterprise HW / SW, and Cloud Platforms. And the products impacted include names such as GitLab, Kubernetes, and HashiCorp.

Find the complete list in the Q1-2023 API ThreatStats™ report infographic.

This is not to throw shade on these companies. Rather, these vulnerabilities highlight the urgent need for tech-driven companies to prioritize securing their private APIs to protect valuable data and maintain business continuity.

Protect Against Injection Vulnerabilities

In short, injection vulnerabilities are your Achilles Heel. No matter how you count them, a huge number of all API vulnerabilities cataloged in Q1-2023 fell into this bucket.

On one hand, 29.4% of all API vulnerabilities were classified in the OWASP APIsec Top-10 API8:2019 (Injection) category – which saw it dip below another category for the first time.

On the other hand, 45.3% of all API vulnerabilities were linked to a CWE which falls in the Injection bucket, including CWE-79 (XSS) at 10.1% overall, CWE-89 (SQLi) at 7.4% overall, and CWE-863 (GraphQL Mutation) at 6.6% overall. Combined, these accounted for 53% of all injection vulnerabilities assessed.

Protect Against Exploits

Last quarter we saw the time-to-exploit – the gap between when an API vulnerability (CVE) is published and an associated exploit proof of concept (POC) is published – averaged -3 days!

In Q1-2023, this gap reverted to favor defenders again, with the time-to-exploit gap averaging +11 days. In addition, we saw a big drop in the number of exploit POCs being published – from 65 (or about 30% of all vulns) last quarter to 24 this quarter (or about 10% of all vulns).

All this is good news, to be sure. But there are a couple of reasons to be cautious:

  • First, the average CVSS score for exploited API vulnerabilities is in the High range (8.9 – 7.0), meaning hackers (no matter their stripes) are not just focused on Critical (9.0 – 10.0) vulnerabilities but are finding less obvious exploits.
  • Second, while this appears to be a case of “reversion to the mean” (the overall average for 2022 was +9 days), we suggest that a) the 2022 data was skewed by our limited data collection in the first half of the year, and b) the Q1-2023 data might be skewed for external reasons such as year-end holidays.

It’s too early to call a trend here, and we’ll continue monitoring to see if one can be discerned.

Trusted by the world’s most innovative companies:

15 min

To unboard and view secutity results
“I needed cloud security tooling that could get me visibility fast. Wallarm answers all my visibility needs within minutes — across multiple clouds.”
Miro Logo


per year in const savings
“With Wallarm, we've been able to scale API protection to the scale we need and manage with our infrastructure as a code approach.”
Rappi Logo


visibility into multi-cloud environments
“With Wallarm, we've been able to scale API protection to the scale we need and manage with our infrastructure as a code approach.”
Dropbox Logo
Panasonic Logo
Victoria's Secret Logo
Miro Logo
Gannet Logo
Dropbox Logo
Rappi Logo
Wargaming Logo
Semrush Logo
Tipalti Logo
UZ Leuven Logo

Ready to protect your APIs?

Wallarm helps you develop fast and stay secure.