CVE-2026-26308
Published: 10 March 2026
Summary
CVE-2026-26308 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Envoyproxy Envoy. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-26308 is a logic vulnerability in the Role-Based Access Control (RBAC) filter of Envoy, a high-performance edge, middle, and service proxy. In versions prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, Envoy fails to validate HTTP headers with multiple values for the same header name individually. Instead, it concatenates all values into a single comma-separated string, which enables attackers to bypass RBAC policies, particularly "Deny" rules protected by exact-match mechanisms. The issue is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N).
Attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By sending duplicate headers with a malicious value obscured among benign ones, they can evade RBAC validation, potentially gaining unauthorized access to protected resources. Successful exploitation results in high confidentiality impact through disclosure of sensitive data across the security scope, with low integrity impact and no availability disruption.
The vulnerability is addressed in Envoy releases 1.37.1, 1.36.5, 1.35.8, and 1.34.13. Official mitigation details are available in the Envoy security advisory at https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 and the fixing commit at https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867. Security practitioners should upgrade to a patched version immediately.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10798
Vulnerability details
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name.…
more
Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The RBAC header validation bypass in the public-facing Envoy proxy directly enables exploitation of a public-facing application (T1190) to obtain unauthorized access to protected resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires correct enforcement of RBAC deny rules on HTTP headers, which the CVE bypasses via concatenated multi-value header logic.
Requires validation of all input values (here, each duplicate HTTP header) rather than a concatenated string before access decisions.
Mandates enforcement of information flow rules on message attributes (headers), which the flawed RBAC concatenation violates.