PT-2026-20563 — Incorrect Authorization in Go Github.Com/Open-Policy-Agent/Opa-Envoy-Plugin

PT-2026-20563 · Go · Github.Com/Open-Policy-Agent/Opa-Envoy-Plugin

Published

2026-02-18

Updated

2026-02-18

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

A security vulnerability has been discovered in how the input.parsed path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served.

Attack example

HTTP request:

GET //admin/users HTTP/1.1
Host: example.com

Policy sees:

The leading //admin path segment is interpreted as an authority component, and dropped from input.parsed path field:

json

{
 "parsed path": ["users"]
}

Backend receives:

//admin/users path, normalized to /admin/users.

Affected Request Pattern Examples

Request path	`input.parsed path`	`input.attributes.request.http.path`	Discrepancy
/	[""]	/	✅ None
//foo	[""]	//foo	❌ Mismatch
/admin	["admin"]	/admin	✅ None
/admin/users	["admin", "users"]	/admin/users	✅ None
//admin/users	["users"]	//admin/users	❌ Mismatch

Impact

Users are impacted if all the following conditions apply:

Protected resources are path-hierarchical (e.g., /admin/users vs /users)
Authorization policies use input.parsed path for path-based decisions
Backend servers apply lenient path normalization

Patches

Go: v1.13.2-envoy-2 Docker: 1.13.2-envoy-2, 1.13.2-envoy-2-static

Workarounds

Users who cannot immediately upgrade opa-envoy-plugin are recommended to apply one, or more, of the workarrounds described below.

1. Enable the `merge slashes` Envoy configuration option

As per [Envoy best practices](https://www.envoyproxy.io/docs/envoy/v1.37.0/configuration/best practices/edge.html), enabling the [merge slashes](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http connection manager/v3/http connection manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-merge-slashes) configuration option in Envoy will remove redundant slashes from the request path before filtering is applied, effectively mitigating the input.parsed path issue described in this advisory.

2. Use `input.attributes.request.http.path` instead of `input.parsed path` in policies

The input.attributes.request.http.path field contains the unprocessed, raw request path. Users are recommended to update any policy using input.parsed path to instead use the input.attributes.request.http.path field.

Example

rego

package example

# Use instead of input.parsed path
parsed path := split(                    # tokenize into array
	trim left(                        # drop leading slashes
		urlquery.decode(input.attributes.request.http.path), # url-decode the path
		"/",
	),
	"/",
)

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-9F29-V6MM-PW6W

Affected Products

Github.Com/Open-Policy-Agent/Opa-Envoy-Plugin