Description
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.
Published: 2026-01-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential leakage and secret disclosure via Lua script injection
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a code injection flaw in Envoy Gateway’s Lua policy handler. By supplying a malicious Lua script through an EnvoyExtensionPolicy, an attacker can have the script executed with Envoy’s privileges, enabling the extraction of the proxy’s internal credentials. Those credentials can then be used to communicate with the control plane and access all secrets stored by Envoy, such as TLS private keys and downstream/upstream communication credentials. The weakness is identified as CWE‑94.

Affected Systems

Envoy Gateway versions before 1.5.7 for the 1.5.x branch and before 1.6.2 for the 1.6.x branch are affected. All deployments using those versions that allow custom Lua policies are at risk. The issue is fixed in 1.5.7 and 1.6.2 and later releases.

Risk and Exploitability

The CVSS score of 8.8 denotes high severity, but the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog at this time. Exploitation requires control over the Lua policy configuration, which is typically available to operators or anyone able to inject a policy. If such access exists, the attacker can immediately extract credentials and consequently compromise all secrets used by the Envoy instance.

Generated by OpenCVE AI on April 18, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy Gateway to version 1.5.7 or later 1.6.2, which contains the fix for the Lua script injection flaw.
  • If an upgrade cannot be performed immediately, remove or disable all custom Lua policies and isolate the policy execution environment to prevent unauthorized script execution.
  • As a temporary measure, restrict or block access to the Envoy control plane from untrusted sources to stop the use of leaked credentials.

Generated by OpenCVE AI on April 18, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xrwg-mqj6-6m22 Envoy Extension Policy lua scripts injection causes arbitrary command execution
History

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:envoyproxy:gateway:*:*:*:*:*:*:*:*

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy gateway
Vendors & Products Envoyproxy
Envoyproxy gateway

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.
Title Envoy Extension Policy lua scripts injection causes arbitrary command execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Envoyproxy Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:49:19.868Z

Reserved: 2026-01-09T18:27:19.387Z

Link: CVE-2026-22771

cve-icon Vulnrichment

Updated: 2026-01-12T18:49:15.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:03.470

Modified: 2026-02-05T21:04:49.683

Link: CVE-2026-22771

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-12T18:08:22Z

Links: CVE-2026-22771 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses