{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26308", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.804Z", "datePublished": "2026-03-10T19:01:28.062Z", "dateUpdated": "2026-03-10T20:12:40.604Z"}, "containers": {"cna": {"title": "Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"}, {"name": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867", "tags": ["x_refsource_MISC"], "url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"version": ">= 1.37.0, < 1.37.1", "status": "affected"}, {"version": ">= 1.36.0, < 1.36.5", "status": "affected"}, {"version": ">= 1.35.0, < 1.35.9", "status": "affected"}, {"version": "< 1.34.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:01:28.062Z"}, "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "source": {"advisory": "GHSA-ghc4-35x6-crw5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:10:29.907912Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:12:40.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:10:29.907912Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:11:58.525Z"}}], "cna": {"title": "Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation", "source": {"advisory": "GHSA-ghc4-35x6-crw5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "envoyproxy", "product": "envoy", "versions": [{"status": "affected", "version": ">= 1.37.0, < 1.37.1"}, {"status": "affected", "version": ">= 1.36.0, < 1.36.5"}, {"status": "affected", "version": ">= 1.35.0, < 1.35.9"}, {"status": "affected", "version": "< 1.34.13"}]}], "references": [{"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5", "name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867", "name": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:01:28.062Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26308", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:12:40.604Z", "dateReserved": "2026-02-13T16:27:51.804Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:01:28.062Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4169052-E37B-4577-8689-4DA8D6AFF3F3", "versionEndExcluding": "1.34.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "35DB0A9F-BCEA-48D7-97DE-A63FA24B2032", "versionEndExcluding": "1.35.8", "versionStartIncluding": "1.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*", "matchCriteriaId": "B37DDD3B-8F92-4F76-B3B1-F3743CB41339", "versionEndExcluding": "1.36.5", "versionStartIncluding": "1.36.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*", "matchCriteriaId": "C5266F62-E0D2-4525-90B6-65921EE14F79", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."}, {"lang": "es", "value": "Envoy es un proxy de alto rendimiento de borde/intermedio/servicio. Antes de 1.37.1, 1.36.5, 1.35.8 y 1.34.13, el filtro RBAC (control de acceso basado en roles) de Envoy contiene una vulnerabilidad l\u00f3gica en c\u00f3mo valida los encabezados HTTP cuando hay m\u00faltiples valores presentes para el mismo nombre de encabezado. En lugar de validar cada valor de encabezado individualmente, Envoy concatena todos los valores en una \u00fanica cadena separada por comas. Este comportamiento permite a los atacantes eludir las pol\u00edticas RBAC \u2014espec\u00edficamente las reglas de 'Denegar'\u2014 enviando encabezados duplicados, ocultando eficazmente el valor malicioso de los mecanismos de coincidencia exacta. Esta vulnerabilidad est\u00e1 corregida en 1.37.1, 1.36.5, 1.35.8 y 1.34.13."}], "id": "CVE-2026-26308", "lastModified": "2026-03-11T16:23:23.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T20:16:35.707", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.37.0,1.37.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.36.0,1.36.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.35.0,1.35.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.34.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "envoy", "source": "cna", "vendor": "envoyproxy"}, "product": "envoy", "vendor": "envoyproxy"}], "analysis": {"en": {"generated_at": "2026-04-16T03:30:46.470089+00:00", "value": {"mitigation_remediation": ["Upgrade Envoy to version 1.37.1 or later, or apply the 1.36.5, 1.35.8, or 1.34.13 security releases for older versions.", "Re\u2011enable strict HTTP header validation to reject duplicate header names, ensuring each value is evaluated independently.", "If a patch cannot be applied immediately, temporarily disable the RBAC filter or restrict incoming traffic to the proxy to limit exposure to untrusted sources."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass via RBAC Header Validation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects EnvoyProxy version 1.37.0 and earlier, specifically 1.37.0, 1.36.4, 1.35.7, and 1.34.12, until the fixes delivered in 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Any environment running those versions of the Envoy\u00ae proxy is potentially exposed.", "description_and_impact": "The Envoy RBAC filter contains a logic flaw in which it concatenates all header values with the same name into a single comma\u2011separated string rather than validating each value separately. This allows an attacker to send duplicate headers that conceal disallowed values from exact\u2011match checks, thereby bypassing \u201cDeny\u201d rules and granting unauthorized access to protected resources.", "risk_and_exploitability": "With a CVSS score of 7.5 the flaw has a moderate\u2011high impact, yet the EPSS score is less than 1\u202f% and it is not currently listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. The attack vector is an HTTP client that can supply duplicate header values; an attacker could therefore craft requests that evade RBAC policies from any network path that reaches the Envoy instance."}}}}, "created": "2026-03-11T11:43:29.214165+00:00", "updated": "2026-04-16T03:45:16.006041+00:00", "vendors": ["envoyproxy", "envoyproxy$PRODUCT$envoy"]}