CVE-2026-26308
HIGH WAF: Low
CVSS 8.2
Published: 2026-03-10
CWE-863
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| envoyproxy | envoy | up to 1.34.13 |
| envoyproxy | envoy | 1.35.0 - 1.35.8 |
| envoyproxy | envoy | 1.36.0 - 1.36.5 |
| envoyproxy | envoy | 1.37.0 |
References
- github.com (Patch)
- github.com (Exploit, Mitigation, Vendor Advisory)