GHSA-GHC4-35X6-CRW5

Vulnerability from github – Published: 2026-03-10 18:30 – Updated: 2026-03-10 22:24
VLAI?
Summary
Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation
Details

1. Summary

The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.

2. Attack Scenario

Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.

Configuration

The Envoy proxy is configured with a Deny rule to reject requests containing the header internal: true. * Rule Type: Exact Match * Target: internal header must not equal true.

The Bypass Logic

  1. Standard Request (Blocked):

    • Input: internal: true
    • Envoy Processing: Sees string "true".
    • Result: Match found. Request Denied.

  2. Exploit Request (Bypassed):

    • Input: http internal: true internal: true
    • Envoy Processing: Concatenates values into "true,true".
    • Matcher Evaluation: Does "true,true" equal "true"? No.
    • Result: The Deny rule fails to trigger. Request Allowed.

3. Implications

  • RBAC Bypass: Remote attackers can bypass configured access controls.
  • Unauthorized Access: Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.
  • Risk: High, particularly for deployments relying on "Exact Match" strategies for security blocking.

4. Reproduction Steps

To verify this vulnerability:

  1. Deploy Envoy: Configure an instance with an RBAC Deny rule that performs an exact match on a specific header (e.g., internal: true).
  2. Baseline Test: Send a request containing the header internal: true.
    • Observation: Envoy blocks this request (HTTP 403).
  3. Exploit Test: Send a second request containing the same header twice: http GET /restricted-resource HTTP/1.1 Host: example.com internal: true internal: true
    • Observation: Envoy allows the request, granting access to the resource.

6. Recommendations

Fix Header Validation Logic: Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of getAllOfHeaderAsString() for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.

** Examine the DENY role to use a Regex style fix.

Credit: Dor Konis

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "versions": [
        "1.37.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "last_affected": "1.36.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.35.0"
            },
            {
              "last_affected": "1.35.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.34.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:30:42Z",
    "nvd_published_at": "2026-03-10T20:16:35Z",
    "severity": "HIGH"
  },
  "details": "## 1. Summary\nThe Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.\n\n## 2. Attack Scenario\nConsider an environment where an administrator wants to block external access to internal resources using a specific header flag.\n\n### Configuration\nThe Envoy proxy is configured with a **Deny** rule to reject requests containing the header `internal: true`.\n* **Rule Type:** Exact Match\n* **Target:** `internal` header must not equal `true`.\n\n### The Bypass Logic\n1.  **Standard Request (Blocked):**\n    * **Input:** `internal: true`\n    * **Envoy Processing:** Sees string `\"true\"`.\n    * **Result:** Match found. **Request Denied.**\n\n2.  **Exploit Request (Bypassed):**\n    * **Input:**\n        ```http\n        internal: true\n        internal: true\n        ```\n    * **Envoy Processing:** Concatenates values into `\"true,true\"`.\n    * **Matcher Evaluation:** Does `\"true,true\"` equal `\"true\"`? **No.**\n    * **Result:** The Deny rule fails to trigger. **Request Allowed.**\n\n## 3. Implications\n* **RBAC Bypass:** Remote attackers can bypass configured access controls.\n* **Unauthorized Access:** Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.\n* **Risk:** High, particularly for deployments relying on \"Exact Match\" strategies for security blocking.\n\n## 4. Reproduction Steps\nTo verify this vulnerability:\n\n1.  **Deploy Envoy:** Configure an instance with an RBAC **Deny** rule that performs an **exact match** on a specific header (e.g., `internal: true`).\n2.  **Baseline Test:** Send a request containing the header `internal: true`.\n    * *Observation:* Envoy blocks this request (HTTP 403).\n3.  **Exploit Test:** Send a second request containing the same header twice:\n    ```http\n    GET /restricted-resource HTTP/1.1\n    Host: example.com\n    internal: true\n    internal: true\n    ```\n    * *Observation:* Envoy allows the request, granting access to the resource.\n\n## 6. Recommendations\n**Fix Header Validation Logic:**\nModify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of `getAllOfHeaderAsString()` for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.\n\n** Examine the DENY role to use a Regex style fix.\n\n**Credit:** Dor Konis",
  "id": "GHSA-ghc4-35x6-crw5",
  "modified": "2026-03-10T22:24:17Z",
  "published": "2026-03-10T18:30:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26308"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.