Description
A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.
Published: 2026-04-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Query Parameter Handler of Envoy, specifically the params.add function in header_mutation.cc. It allows an attacker to inject arbitrary data into the header mutation logic, resulting in header injection that can alter HTTP requests or responses. This flaw can compromise confidentiality and integrity of traffic transmitted through Envoy and allows remote attackers to subvert normal request handling.

Affected Systems

Envoy, the open‑source edge and service proxy, is affected in all releases up to and including 1.33.0. Any deployment using those versions is susceptible unless the patch f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4 or a later version containing the fix is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely by supplying specially crafted query parameters to vulnerable Envoy instances. If successful, they can inject headers that may lead to request smuggling, content injection, or other HTTP protocol abuses.

Generated by OpenCVE AI on May 6, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envoy to a version that includes the patch f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4 or later
  • Configure Envoy to remove or sanitize query parameters that influence header mutation logic
  • Deploy network segmentation or a Web Application Firewall to block malformed HTTP requests targeting Envoy

Generated by OpenCVE AI on May 6, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Envoyproxy
Envoyproxy envoy
Vendors & Products Envoyproxy
Envoyproxy envoy

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.
Title Envoy Query Parameter header_mutation.cc params.add injection
Weaknesses CWE-707
CWE-74
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Envoyproxy Envoy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T17:17:35.083Z

Reserved: 2026-04-24T19:49:39.070Z

Link: CVE-2026-6994

cve-icon Vulnrichment

Updated: 2026-04-27T17:17:20.969Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T19:16:00.360

Modified: 2026-04-27T18:42:11.700

Link: CVE-2026-6994

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-25T19:00:19Z

Links: CVE-2026-6994 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:00:12Z

Weaknesses