CVE-2026-41246
Published: 23 April 2026
Summary
CVE-2026-41246 is a high-severity Code Injection (CWE-94) vulnerability in Projectcontour Contour. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Lua (T1059.011); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-41246 is a Lua code injection vulnerability in Contour, an open-source Kubernetes ingress controller that uses the Envoy proxy. The issue affects Contour versions from v1.19.0 up to but not including v1.33.4, v1.32.5, and v1.31.6, specifically within the Cookie Rewriting feature. This feature is implemented using Envoy's HTTP Lua filter, where user-controlled values from HTTPProxy resources are interpolated into Lua source code via Go's text/template package without adequate sanitization, enabling arbitrary code execution in the Envoy proxy.
An attacker requires RBAC permissions to create or modify HTTPProxy resources in the cluster. They can exploit this by crafting a malicious value in fields such as spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value. The injected code executes only when processing traffic on the attacker's controlled route. However, as Envoy operates as shared infrastructure, the code can access Envoy's xDS client credentials from the filesystem or trigger denial of service impacting other tenants sharing the same Envoy instance. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and is associated with CWE-94 (Improper Control of Generation of Code).
Project Contour has addressed the vulnerability in releases v1.33.4, v1.32.5, and v1.31.6, as detailed in their GitHub release notes and security advisory (GHSA-x4mj-7f9g-29h4). Security practitioners should upgrade affected Contour deployments to one of these patched versions to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25280
Vulnerability details
Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft…
more
a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Lua code injection enables arbitrary Lua execution in Envoy proxy (T1059.011); injected code can access xDS credentials from filesystem (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the Lua code injection vulnerability by requiring timely remediation through patching Contour to fixed versions v1.33.4, v1.32.5, or v1.31.6.
Enforces least privilege on RBAC permissions, preventing unauthorized creation or modification of HTTPProxy resources needed to inject malicious pathRewrite values.
Requires validation and sanitization of user-controlled inputs in spec.routes[].cookieRewritePolicies[].pathRewrite.value fields to block Lua code injection via Go text/template interpolation.