CVE-2026-26308
📋 TL;DR
This vulnerability in Envoy's RBAC filter allows attackers to bypass access control policies by sending duplicate HTTP headers with malicious values. When multiple headers with the same name are received, Envoy concatenates them into a single string, allowing attackers to hide malicious content from exact-match validation. This affects all Envoy deployments using RBAC filters for access control.
💻 Affected Systems
- Envoy Proxy
📦 What is this software?
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
Envoy by Envoyproxy
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of all RBAC-based access controls, allowing unauthorized access to protected resources, data exfiltration, or privilege escalation.
Likely Case
Partial bypass of specific RBAC deny rules, potentially allowing access to restricted endpoints or services that should be blocked.
If Mitigated
Limited impact if additional security layers (WAF, authentication, network segmentation) are in place alongside RBAC.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with duplicate headers. No authentication needed if RBAC is the only protection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.37.1, 1.36.5, 1.35.8, or 1.34.13
Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5
Restart Required: Yes
Instructions:
1. Identify Envoy version currently running. 2. Upgrade to patched version (1.37.1, 1.36.5, 1.35.8, or 1.34.13). 3. Restart Envoy service. 4. Verify the fix by testing RBAC functionality.
🔧 Temporary Workarounds
WAF Header Normalization
allConfigure upstream WAF or load balancer to normalize duplicate headers before they reach Envoy
Additional Validation Layer
allImplement additional request validation in application layer or using Lua/WASM filters
🧯 If You Can't Patch
- Implement network-level access controls to restrict traffic to Envoy instances
- Add additional authentication/authorization layers before protected resources
🔍 How to Verify
Check if Vulnerable:
Check Envoy version and RBAC configuration. If using RBAC with header matching and version is below patched versions, system is vulnerable.Check Version:
envoy --versionVerify Fix Applied:
Test RBAC functionality with duplicate headers after patching. Attempt to bypass deny rules using duplicate headers - should be blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP requests with duplicate headers to RBAC-protected endpoints
- Successful access to resources that should be denied by RBAC rules
Network Indicators:
- HTTP requests containing duplicate headers with same name
- Unusual traffic patterns to protected endpoints
SIEM Query:
http.headers:* AND (http.request_count > threshold) AND (http.path IN protected_endpoints)