Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Published: 2026-06-26
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PROXY Protocol v2 header generator in Envoy creates TLVs that can exceed the 65535‑byte length limit. The generated header contains a smaller length field than the number of bytes actually written, causing a mismatch. As a result, up to 65 kilobytes of attacker‑controlled data can be inserted into the upstream request stream when a malicious header is sent. This malformed data bypasses normal parsing and can expose upstream services to data corruption or hidden payloads, leading to information leakage.

Affected Systems

Envoy proxy versions 1.34.0 through 1.35.12, 1.36.0‑1.36.8, 1.37.0‑1.37.4, and 1.38.0‑1.38.2 are affected. The vulnerability is fixed in releases 1.35.13, 1.36.9, 1.37.5, 1.38.3, or any later version.

Risk and Exploitability

The CVSS score of a moderate risk. EPSS data is not available, so the current likelihood of exploitation is unclear. The flaw can be exploited when traffic containing a crafted PROXY Protocol v2 header reaches a listener that is configured to accept the protocol; the attacker only needs network access to the listener and can target a PROXY‑enabled listener.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to release 1.35.13, 1.36.9, 1.37.5, 1.38.3, or any later version that contains the fix for the PROXY Protocol v2 header generator.
  • If an immediate upgrade is not feasible, reconfigure Envoy to disable PROXY Protocol v2 header generation on affected listeners or restrict PROXY header acceptance to trusted networks only.
  • Implement input validation or rate limiting on upstream services to that might result from unpatched header generation.

Generated by OpenCVE AI on June 26, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
Title Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
Weaknesses CWE-130
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:07:49.683Z

Reserved: 2026-05-19T21:18:20.403Z

Link: CVE-2026-47692

cve-icon Vulnrichment

Updated: 2026-06-26T19:07:35.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency