Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via RBAC Header Validation
Action: Immediate Patch
AI Analysis

Impact

The Envoy RBAC filter contains a logic flaw in which it concatenates all header values with the same name into a single comma‑separated string rather than validating each value separately. This allows an attacker to send duplicate headers that conceal disallowed values from exact‑match checks, thereby bypassing “Deny” rules and granting unauthorized access to protected resources.

Affected Systems

The vulnerability affects EnvoyProxy version 1.37.0 and earlier, specifically 1.37.0, 1.36.4, 1.35.7, and 1.34.12, until the fixes delivered in 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Any environment running those versions of the Envoy® proxy is potentially exposed.

Risk and Exploitability

With a CVSS score of 7.5 the flaw has a moderate‑high impact, yet the EPSS score is less than 1 % and it is not currently listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. The attack vector is an HTTP client that can supply duplicate header values; an attacker could therefore craft requests that evade RBAC policies from any network path that reaches the Envoy instance.

Generated by OpenCVE AI on April 16, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to version 1.37.1 or later, or apply the 1.36.5, 1.35.8, or 1.34.13 security releases for older versions.
  • Re‑enable strict HTTP header validation to reject duplicate header names, ensuring each value is evaluated independently.
  • If a patch cannot be applied immediately, temporarily disable the RBAC filter or restrict incoming traffic to the proxy to limit exposure to untrusted sources.

Generated by OpenCVE AI on April 16, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ghc4-35x6-crw5 Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
History

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Title Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:12:40.604Z

Reserved: 2026-02-13T16:27:51.804Z

Link: CVE-2026-26308

cve-icon Vulnrichment

Updated: 2026-03-10T20:11:58.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:35.707

Modified: 2026-03-11T16:23:23.090

Link: CVE-2026-26308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses