CVE-2026-22771
Published: 12 January 2026
Summary
CVE-2026-22771 is a high-severity Code Injection (CWE-94) vulnerability in Envoyproxy Gateway. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of Envoy Gateway to versions 1.5.7 or 1.6.2, fixing the Lua script execution flaw that leaks proxy credentials.
Governs the installation and execution of Lua scripts as mobile code within Envoy proxy, verifying them to prevent malicious scripts from leaking credentials.
Validates and sanitizes Lua script inputs in EnvoyExtensionPolicy to prevent code injection attacks that enable credential leakage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct code injection into Lua scripts executed by the public-facing Envoy proxy enables exploitation of the gateway (T1190) and arbitrary Lua script execution (T1059.011) to leak credentials.
NVD Description
Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials…
more
can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.
Deeper analysisAI
CVE-2026-22771 is a code injection vulnerability (CWE-94) affecting Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In versions prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by the Envoy proxy can be manipulated to leak the proxy's credentials. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious Lua scripts via the EnvoyExtensionPolicy, the attacker can extract the proxy's credentials, which can then be used to communicate directly with the control plane. This grants access to all secrets managed by the Envoy proxy, including TLS private keys and credentials for downstream and upstream communication.
The Envoy Gateway security advisory at https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 details the issue and confirms that it is fixed in versions 1.5.7 and 1.6.2. Security practitioners should upgrade to these patched versions immediately to mitigate the risk, as no additional workarounds are specified in the provided information.
Details
- CWE(s)