Cyber Resilience

CVE-2026-26308

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0029 20.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26308 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-26308 is a logic vulnerability in the Role-Based Access Control (RBAC) filter of Envoy, a high-performance edge, middle, and service proxy. In versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, Envoy fails to validate HTTP headers with multiple values for the same header name individually. Instead, it concatenates all values into a single comma-separated string, which enables attackers to bypass RBAC policies, particularly "Deny" rules protected by exact-match mechanisms. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N).

Attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By sending duplicate headers with a malicious value obscured among benign ones, they can evade RBAC validation, potentially gaining unauthorized access to protected resources. Successful exploitation results in high confidentiality impact through disclosure of sensitive data across the security scope, with low integrity impact and no availability disruption.

The vulnerability is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Official mitigation details are available in the Envoy security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 and the fixing commit at https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867. Security practitioners should upgrade to a patched version immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.…

more

Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The RBAC header validation bypass in the public-facing Envoy proxy directly enables exploitation of a public-facing application (T1190) to obtain unauthorized access to protected resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26310Same product: Envoyproxy Envoy
CVE-2026-26330Same product: Envoyproxy Envoy
CVE-2025-30157Same product: Envoyproxy Envoy
CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863
CVE-2020-36948Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2024-13291Shared CWE-863
CVE-2026-23989Shared CWE-863

Affected Assets

envoyproxy
envoy
1.37.0 · ≤ 1.34.13 · 1.35.0 — 1.35.8 · 1.36.0 — 1.36.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires correct enforcement of RBAC deny rules on HTTP headers, which the CVE bypasses via concatenated multi-value header logic.

prevent

Requires validation of all input values (here, each duplicate HTTP header) rather than a concatenated string before access decisions.

prevent

Mandates enforcement of information flow rules on message attributes (headers), which the flawed RBAC concatenation violates.

References