CVE-2026-26308

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.37.1 Envoy versions prior to 1.36.5 Envoy versions prior to 1.35.8 Envoy versions prior to 1.34.13

Description Envoy is a high-performance edge/middle/service proxy. The Envoy RBAC (Role-Based Access Control) filter has a logic issue in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, obscuring the malicious value from exact-match mechanisms. The vulnerability affects the validation of headers used in RBAC policies.

Recommendations Update to version 1.37.1. Update to version 1.36.5. Update to version 1.35.8. Update to version 1.34.13. Enable rbac match headers individually.