Cyber Resilience

CVE-2026-22771

HighPublic PoCRCEUpdated

Published: 12 January 2026

Published
12 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 37.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22771 is a high-severity Code Injection (CWE-94) vulnerability in Envoyproxy Gateway. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22771 is a code injection vulnerability (CWE-94) affecting Envoy Gateway, an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. In versions prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by the Envoy proxy can be manipulated to leak the proxy's credentials. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious Lua scripts via the EnvoyExtensionPolicy, the attacker can extract the proxy's credentials, which can then be used to communicate directly with the control plane. This grants access to all secrets managed by the Envoy proxy, including TLS private keys and credentials for downstream and upstream communication.

The Envoy Gateway security advisory at https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 details the issue and confirms that it is fixed in versions 1.5.7 and 1.6.2. Security practitioners should upgrade to these patched versions immediately to mitigate the risk, as no additional workarounds are specified in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials…

more

can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
Why these techniques?

Direct code injection into Lua scripts executed by the public-facing Envoy proxy enables exploitation of the gateway (T1190) and arbitrary Lua script execution (T1059.011) to leak credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24030Same product: Envoyproxy Gateway
CVE-2026-26308Same vendor: Envoyproxy
CVE-2026-44403Shared CWE-94
CVE-2026-26310Same vendor: Envoyproxy
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94

Affected Assets

envoyproxy
gateway
≤ 1.5.7 · 1.6.0 — 1.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of Envoy Gateway to versions 1.5.7 or 1.6.2, fixing the Lua script execution flaw that leaks proxy credentials.

prevent

Governs the installation and execution of Lua scripts as mobile code within Envoy proxy, verifying them to prevent malicious scripts from leaking credentials.

prevent

Validates and sanitizes Lua script inputs in EnvoyExtensionPolicy to prevent code injection attacks that enable credential leakage.

References