CVE-2026-26308
published 2026-03-10CVE-2026-26308: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains…
PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.29%
20.9th percentile
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.34.13 | 1.34.13 |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.35.0 < 1.35.8 | 1.35.8 |
| envoyproxy | envoy | >= 1.36.0 < 1.36.5 | 1.36.5 |
| github.com | envoyproxy_envoy | >= 0 < 1.34.13 | 1.34.13 |
| github.com | envoyproxy_envoy | 0 – 1.34.12 | — |
| github.com | envoyproxy_envoy | >= 1.35.0 < 1.35.9 | 1.35.9 |
| github.com | envoyproxy_envoy | 1.35.0 – 1.35.8 | — |
| github.com | envoyproxy_envoy | >= 1.36.0 < 1.36.5 | 1.36.5 |
| github.com | envoyproxy_envoy | 1.36.0 – 1.36.4 | — |
| github.com | envoyproxy_envoy | >= 1.37.0 < 1.37.1 | 1.37.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
ghsa·2026-03-10
CVE-2026-26308 [HIGH] CWE-20 Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
## 1. Summary
The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.
## 2. Attack Scenario
Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.
### Configuration
The Envoy proxy is configured with a **Deny** rule to rejec
OSV
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
osv·2026-03-10
CVE-2026-26308 [HIGH] Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
## 1. Summary
The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.
## 2. Attack Scenario
Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.
### Configuration
The Envoy proxy is configured with a **Deny** rule to rejec
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-26308 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26308 [HIGH] CVE-2026-26308 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26308 :
Envoy vulnerability analysis and mitigation
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Source : NVD
## 8.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Wiz
CVE-2026-26310 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26310 [HIGH] CVE-2026-26310 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26310 :
Envoy vulnerability analysis and mitigation
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the original_src filter and the dns filter. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
Envoy
Amazon Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/envoyproxy/envoy
envoy
Sources
Wiz
CVE-2026-26311 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-26311 [MEDIUM] CVE-2026-26311 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26311 :
Envoy vulnerability analysis and mitigation
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, a logic vulnerability in Envoy's HTTP connection manager (FilterManager) that allows for Zombie Stream Filter Execution. This issue creates a "Use-After-Free" (UAF) or state-corruption window where filter callbacks are invoked on an HTTP stream that has already been logically reset and cleaned up. The vulnerability resides in source/common/http/filter_manager.cc within the FilterManager::decodeData method. The ActiveStream object remains valid in memory during the deferred deletion window. If a DATA frame arrives on this stream immediately after the reset (e.g., in the same packet processing cycle), the HTTP/2 codec invokes A
Wiz
CVE-2026-26309 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26309 [HIGH] CVE-2026-26309 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26309 :
Envoy vulnerability analysis and mitigation
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Envoy
Amazon Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2026-26330 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26330 [HIGH] CVE-2026-26330 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26330 :
Envoy vulnerability analysis and mitigation
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with apply_on_stream_done in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. When both the request phase limit and response phase limit are enabled, the safe gRPC client instance will be re-used for both the request phase request and response phase request. But after the request phase request is done, the inner state of the request phase limit request in gRPC client is not cleaned up. When a second limit request is sent at response phase, and the second limit request fails directly, the previous request's inn
2026-03-10
Published