Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PROXY Protocol v2 header generator in Envoy creates TLVs that can exceed the 65535‑byte length limit. The generated header contains a smaller length field than the number of bytes actually written, causing a mismatch. As a result, up to 65 kilobytes of attacker‑controlled data can be inserted into the upstream request stream when a malicious header is sent. This malformed data bypasses normal parsing and can expose upstream services to data corruption or hidden payloads, leading to information leakage.

Affected Systems

Envoy proxy versions 1.34.0 through 1.35.12, 1.36.0‑1.36.8, 1.37.0‑1.37.4, and 1.38.0‑1.38.2 are affected. The vulnerability is fixed in releases 1.35.13, 1.36.9, 1.37.5, 1.38.3, or any later version.

Risk and Exploitability

The CVSS score of a moderate risk. EPSS data is not available, so the current likelihood of exploitation is unclear. The flaw can be exploited when traffic containing a crafted PROXY Protocol v2 header reaches a listener that is configured to accept the protocol; the attacker only needs network access to the listener and can target a PROXY‑enabled listener.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to release 1.35.13, 1.36.9, 1.37.5, 1.38.3, or any later version that contains the fix for the PROXY Protocol v2 header generator.
  • If an immediate upgrade is not feasible, reconfigure Envoy to disable PROXY Protocol v2 header generation on affected listeners or restrict PROXY header acceptance to trusted networks only.
  • Implement input validation or rate limiting on upstream services to that might result from unpatched header generation.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Title Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
Weaknesses CWE-130
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L'}


Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:07:49.683Z

Reserved: 2026-05-19T21:18:20.403Z

Link: CVE-2026-47692

cve-icon Vulnrichment

Updated: 2026-06-26T19:07:35.786Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T17:59:38Z

Links: CVE-2026-47692 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency