CVE-2026-48743

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.35.11 Envoy versions prior to 1.36.7 Envoy versions prior to 1.37.3 Envoy versions prior to 1.38.1

Description Envoy can translate a downstream HTTP/3 request that is complete at the transport layer but contains a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In deployments where the origin server responds before reading the declared body and maintains a reusable connection, the start of a subsequent upstream request may be consumed as the body of the first request. This leads to a request desynchronization where the origin parses the remaining bytes as a new HTTP/1 request, potentially allowing for route-bypass.

Recommendations Update to version 1.35.11. Update to version 1.36.7. Update to version 1.37.3. Update to version 1.38.1.