PT-2026-24626 — Github.Com/Envoyproxy/Envoy

PT-2026-24626 · Go · Github.Com/Envoyproxy/Envoy

Published

2026-03-10

Updated

2026-03-10

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

1. Summary

The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.

2. Attack Scenario

Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.

Configuration

The Envoy proxy is configured with a Deny rule to reject requests containing the header internal: true.

Rule Type: Exact Match
Target: internal header must not equal true.

The Bypass Logic

Standard Request (Blocked):

Input: internal: true
Envoy Processing: Sees string "true".
Result: Match found. Request Denied.

Exploit Request (Bypassed):

Input:
```
internal: true
internal: true
```
Envoy Processing: Concatenates values into "true,true".
Matcher Evaluation: Does "true,true" equal "true"? No.
Result: The Deny rule fails to trigger. Request Allowed.

3. Implications

RBAC Bypass: Remote attackers can bypass configured access controls.
Unauthorized Access: Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.
Risk: High, particularly for deployments relying on "Exact Match" strategies for security blocking.

4. Reproduction Steps

To verify this vulnerability:

Deploy Envoy: Configure an instance with an RBAC Deny rule that performs an exact match on a specific header (e.g., internal: true).
Baseline Test: Send a request containing the header internal: true.

Observation: Envoy blocks this request (HTTP 403).

Exploit Test: Send a second request containing the same header twice:

GET /restricted-resource HTTP/1.1
Host: example.com
internal: true
internal: true

Observation: Envoy allows the request, granting access to the resource.

6. Recommendations

Fix Header Validation Logic: Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of getAllOfHeaderAsString() for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.

** Examine the DENY role to use a Regex style fix.

Credit: Dor Konis

Fix

Incorrect Authorization

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-20

Related Identifiers

GHSA-GHC4-35X6-CRW5

Affected Products

Github.Com/Envoyproxy/Envoy