CVE-2026-26308
Published: 10 March 2026
Summary
CVE-2026-26308 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The RBAC header validation bypass in the public-facing Envoy proxy directly enables exploitation of a public-facing application (T1190) to obtain unauthorized access to protected resources.
NVD Description
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.…
more
Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
Deeper analysisAI
CVE-2026-26308 is a logic vulnerability in the Role-Based Access Control (RBAC) filter of Envoy, a high-performance edge, middle, and service proxy. In versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, Envoy fails to validate HTTP headers with multiple values for the same header name individually. Instead, it concatenates all values into a single comma-separated string, which enables attackers to bypass RBAC policies, particularly "Deny" rules protected by exact-match mechanisms. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N).
Attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By sending duplicate headers with a malicious value obscured among benign ones, they can evade RBAC validation, potentially gaining unauthorized access to protected resources. Successful exploitation results in high confidentiality impact through disclosure of sensitive data across the security scope, with low integrity impact and no availability disruption.
The vulnerability is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Official mitigation details are available in the Envoy security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 and the fixing commit at https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867. Security practitioners should upgrade to a patched version immediately.
Details
- CWE(s)