CVE-2026-26205

Name of the Vulnerable Software and Affected Versions opa-envoy-plugun versions prior to 1.13.2-envoy-2

Description The opa-envoy-plugun plugin has an issue in how the input.parsed path field is constructed. HTTP request paths are treated as full URIs during parsing, leading to the interpretation of leading path segments prefixed with double slashes (//) as authority components, and subsequently dropping them from the parsed path. This discrepancy between the path evaluated by the authorization filter and the path served by the backend server can allow attackers to bypass access controls by crafting malicious requests. The issue arises when authorization policies rely on input.parsed path for path-based decisions, and backend servers apply lenient path normalization. The affected request pattern examples demonstrate how the input.parsed path field can differ from the actual request path, potentially leading to unauthorized access. The input.attributes.request.http.path field contains the unprocessed, raw request path.

Recommendations Versions prior to 1.13.2-envoy-2: Upgrade to version 1.13.2-envoy-2 or later. Versions prior to 1.13.2-envoy-2: Enable the merge slashes Envoy configuration option. Versions prior to 1.13.2-envoy-2: Use input.attributes.request.http.path instead of input.parsed path in policies.