CVE-2026-41246

Name of the Vulnerable Software and Affected Versions Contour versions 1.19.0 through 1.31.5 Contour versions 1.32.0 through 1.32.4 Contour versions 1.33.0 through 1.33.3

Description The Cookie Rewriting feature is susceptible to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can provide malicious values in the spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value variables, leading to arbitrary code execution in the Envoy proxy. This occurs because user-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. While the injected code executes only on the attacker's own route, it can be used to read Envoy xDS client credentials from the filesystem—potentially exposing TLS certificates and private keys of other tenants—or cause a denial of service for other tenants sharing the Envoy instance.

Recommendations Update to version 1.31.6. Update to version 1.32.5. Update to version 1.33.4.