CVE-2026-22771
📋 TL;DR
Envoy Gateway versions before 1.5.7 and 1.6.2 contain a vulnerability where Lua scripts in EnvoyExtensionPolicy can leak proxy credentials. Attackers can use these credentials to access the control plane and steal sensitive secrets like TLS private keys and communication credentials. This affects all deployments using vulnerable Envoy Gateway versions with EnvoyExtensionPolicy enabled.
💻 Affected Systems
- Envoy Gateway
📦 What is this software?
Gateway by Envoyproxy
Gateway by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all secrets managed by Envoy proxy including TLS certificates, authentication credentials, and sensitive configuration data, leading to data exfiltration, service impersonation, and lateral movement.
Likely Case
Unauthorized access to control plane leading to credential theft and potential data interception or service disruption.
If Mitigated
Limited impact if proper network segmentation and access controls prevent credential reuse across systems.
🎯 Exploit Status
Exploitation requires ability to create or modify EnvoyExtensionPolicy Lua scripts, which typically requires some level of access to the gateway configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.7 or 1.6.2
Vendor Advisory: https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
Restart Required: Yes
Instructions:
1. Update Envoy Gateway to version 1.5.7 or 1.6.2. 2. For Kubernetes deployments: update the Envoy Gateway Helm chart or deployment manifest. 3. Restart all Envoy Gateway pods/instances. 4. Verify the new version is running.
🔧 Temporary Workarounds
Disable EnvoyExtensionPolicy Lua scripts
allTemporarily disable or restrict EnvoyExtensionPolicy configurations that use Lua scripts until patching can be completed.
# Review and remove or disable EnvoyExtensionPolicy resources with Lua scripts
# kubectl get envoyextensionpolicies -A
# Remove or modify policies with Lua script configurations
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized modification of EnvoyExtensionPolicy resources.
- Segment network to limit control plane access and implement credential rotation for existing secrets.
🔍 How to Verify
Check if Vulnerable:
Check Envoy Gateway version: if running version earlier than 1.5.7 or 1.6.2, and EnvoyExtensionPolicy with Lua scripts is enabled, the system is vulnerable.Check Version:
envoy-gateway --version or check deployment manifest/Helm chart versionVerify Fix Applied:
Confirm Envoy Gateway version is 1.5.7 or 1.6.2 or later, and test that Lua scripts in EnvoyExtensionPolicy no longer have access to proxy credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to control plane endpoints
- Unusual credential usage patterns
- Suspicious Lua script execution in Envoy logs
Network Indicators:
- Unexpected connections from Envoy proxy to control plane
- Anomalous traffic patterns suggesting credential exfiltration
SIEM Query:
source="envoy-gateway" AND ("EnvoyExtensionPolicy" OR "lua") AND ("credential" OR "secret" OR "unauthorized")