PT-2026-55061 · Bitnami · Envoy

Published

2026-06-30

·

Updated

2026-06-30

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

BIT-ENVOY-2026-47775

Affected Products

Envoy