CVE-2026-26308

HIGH 7.5

Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

CWE	CWE-863
Vendor	envoyproxy
Product	envoy
Published	Mar 10, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for envoyproxy envoy

Be the first to know when new high vulnerabilities affecting envoyproxy envoy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

envoyproxy / envoy

>= 1.37.0, < 1.37.1 >= 1.36.0, < 1.36.5 >= 1.35.0, < 1.35.9 < 1.34.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 github.com: https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867