cbcvebase.
CVE-2026-26308
published 2026-03-10

CVE-2026-26308: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains…

PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.29%
20.9th percentile
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

Affected

14 ranges
VendorProductVersion rangeFixed in
envoyproxyenvoy< 1.34.131.34.13
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy
envoyproxyenvoy>= 1.35.0 < 1.35.81.35.8
envoyproxyenvoy>= 1.36.0 < 1.36.51.36.5
github.comenvoyproxy_envoy>= 0 < 1.34.131.34.13
github.comenvoyproxy_envoy0 – 1.34.12
github.comenvoyproxy_envoy>= 1.35.0 < 1.35.91.35.9
github.comenvoyproxy_envoy1.35.0 – 1.35.8
github.comenvoyproxy_envoy>= 1.36.0 < 1.36.51.36.5
github.comenvoyproxy_envoy1.36.0 – 1.36.4
github.comenvoyproxy_envoy>= 1.37.0 < 1.37.11.37.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.