PT-2026-60685 · Go · Github.Com/Envoyproxy/Ai-Gateway

CVE-2026-53713

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

Impact

The to absolute normalized path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is critical path fails to match the double-slash variant because //etc/passwd does not start with /etc/.
This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:
  • /etc/passwd
  • Kubernetes SA tokens via //var/run/secrets/kubernetes.io/serviceaccount/token
  • TLS certificates via //certs/...
  • Process environment via //proc/self/environ
These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.

Patches

This has been patched in versions >= v1.7.4 and v1.8.1
  • Collapse redundant path separators (// to /) so double-slash variants like //etc/passwd and //var/run/secrets/... are matched by the critical-path check.
  • Rewrite the traversal check to reject any . or .. segment in any position and across both separator styles (catches /etc/./passwd, ./etc/passwd, /etc/.).

Workarounds

Please refer to the Warning section in Lua docs for measures to reduce risk.

Credits

Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53713
GHSA-WCRF-9VRR-854F

Affected Products

Github.Com/Envoyproxy/Ai-Gateway