Andon Andonov

**Name of the Vulnerable Software and Affected Versions** CNCF Envoy versions 1.13.0 and earlier **Description** The issue is related to incorrect Access Control when using SDS with Combined Validation Context in CNCF Envoy. This could lead to the "static" part of the validation context not being applied, even if it is visible in the active config dump, when the same secret (e.g., trusted CA) is used across many resources. The vulnerability may allow a remote attacker to access protected information due to errors in authorization. **Recommendations** For CNCF Envoy versions 1.13.0 and earlier, consider updating to a version that addresses the incorrect Access Control issue. As a temporary workaround, restrict the use of the same secret across multiple resources to minimize the risk of exploitation. Additionally, review and adjust the Combined Validation Context configuration to ensure the "static" part of the validation context is properly applied.