CVE-2026-47775 - Vulnerability Details

Description

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Published: 2026-06-26

Score: 6.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises because the OAuth2 HTTP filter in Envoy decrypts cookies using AES‑256‑CBC without any authentication tag. When the /callback endpoint receives a failed decryption, it returns HTTP 302 for success and HTTP 401 for a padding failure, giving an attacker a padding oracle. An adversary who can obtain the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in roughly 6,200 decryption attempts, which can then be combined with a stolen authorization code to obtain the victim's access token. This effectively allows the attacker to forge authenticated sessions and hijack user accounts.

Affected Systems

Envoy proxy servers running any version prior to 1.35.11, 1.36.7, 1.37.3, or 1.38.1 are vulnerable. The exposed bug resides in the OAuth2 HTTP filter component of the envoyproxy:envoy product.

Risk and Exploitability

The CVSS score of 6.8 indicates the vulnerability is of medium severity. While no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, the attack can be carried out with a modest number of requests (around 6,200). An attacker who has access to the OAuth callback flow and can capture the encrypted cookie can exploit the padding oracle to retrieve the PKCE code_verifier, effectively compromising the target’s authentication tokens.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

envoyproxy

envoy

affected

Version	Status	Constraints
`>= 1.38.0, < 1.38.1`	affected	—
`>= 1.37.0, < 1.37.3`	affected	—
`>= 1.36.0, < 1.36.7`	affected	—
`< 1.35.11`	affected	—

No data.

Vendor Product Confidence Versions

Envoyproxy

Envoy

100%

Version	Status	Scheme	Platform
`[1.38.0,1.38.1)`	affected	semver	—
`[1.37.0,1.37.3)`	affected	semver	—
`[1.36.0,1.36.7)`	affected	semver	—
`[0,1.35.11)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Envoy version 1.35.11, 1.36.7, 1.37.3, or 1.38.1, where the OAuth2 filter’s encrypt/decrypt functions are corrected
If the OAuth2 filter must remain in use, ensure that it employs authenticated encryption (AEAD) or remove the filter entirely when it is not required
Monitor for repeated HTTP 401 responses on the /callback endpoint to detect possible padding oracle attempts and investigate anomalous authentication activity

Generated by OpenCVE AI on June 26, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p

History

Fri, 26 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Envoyproxy Envoyproxy envoy
Vendors & Products		Envoyproxy Envoyproxy envoy

Fri, 26 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Title		Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption
Weaknesses		CWE-209 CWE-327
References		https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Envoyproxy Envoy

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T17:23:51.663Z

Updated: 2026-06-26T17:23:51.663Z

Reserved: 2026-05-19T22:36:16.882Z

Link: CVE-2026-47775

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-209
Generation of Error Message Containing Sensitive Information
CWE-327
Use of a Broken or Risky Cryptographic Algorithm

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object