CVE-2026-26205
📋 TL;DR
This vulnerability in opa-envoy-plugin allows attackers to bypass authorization policies by crafting HTTP requests with double-slash prefixes in paths. The plugin incorrectly interprets these as authority components, creating a mismatch between what authorization policies evaluate and what backend servers process. Organizations using opa-envoy-plugin versions before 1.13.2-envoy-2 for Envoy-based authorization are affected.
💻 Affected Systems
- opa-envoy-plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authorization bypass enabling unauthorized access to protected resources, potentially exposing sensitive data or allowing privilege escalation.
Likely Case
Selective authorization bypass for specific endpoints where attackers can craft paths with double-slash prefixes to evade policy enforcement.
If Mitigated
Limited impact with proper network segmentation and additional authorization layers, though the primary policy enforcement mechanism remains compromised.
🎯 Exploit Status
Exploitation requires only HTTP request crafting with double-slash path prefixes. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.2-envoy-2
Vendor Advisory: https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w
Restart Required: Yes
Instructions:
1. Update opa-envoy-plugin to version 1.13.2-envoy-2 or later. 2. Update plugin configuration if needed. 3. Restart Envoy proxy instances. 4. Verify the fix by testing with previously exploitable paths.
🔧 Temporary Workarounds
WAF Rule for Double-Slash Paths
allConfigure web application firewall to block or alert on HTTP requests containing double-slash sequences in paths.
# Example nginx rule: location ~* "//" { return 403; }
# Example Apache rule: RewriteRule .*//.* - [F]
Envoy Path Normalization
allConfigure Envoy to normalize paths before they reach opa-envoy-plugin, removing double-slash sequences.
# In Envoy configuration, add path normalization filters before the ext_authz filter
🧯 If You Can't Patch
- Implement additional authorization layer at backend application level
- Deploy network segmentation to limit access to protected resources
🔍 How to Verify
Check if Vulnerable:
Check opa-envoy-plugin version and test with crafted HTTP requests containing paths like /api//protected/resourceCheck Version:
Check Envoy configuration or plugin logs for opa-envoy-plugin version stringVerify Fix Applied:
After patching, test with same crafted requests; authorization should now properly evaluate the full path.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with double-slash sequences in paths
- Authorization failures followed by successful resource access
Network Indicators:
- Unusual pattern of requests to protected endpoints with modified path structures
SIEM Query:
http.path CONTAINS "//" AND http.status_code = 200 AND auth.result = "denied"