Skip to content

Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation

High severity GitHub Reviewed Published Mar 10, 2026 in envoyproxy/envoy • Updated Mar 10, 2026

Package

gomod github.com/envoyproxy/envoy (Go)

Affected versions

= 1.37.0
>= 1.36.0, <= 1.36.4
>= 1.35.0, <= 1.35.8
<= 1.34.12

Patched versions

None

Description

1. Summary

The Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms.

2. Attack Scenario

Consider an environment where an administrator wants to block external access to internal resources using a specific header flag.

Configuration

The Envoy proxy is configured with a Deny rule to reject requests containing the header internal: true.

  • Rule Type: Exact Match
  • Target: internal header must not equal true.

The Bypass Logic

  1. Standard Request (Blocked):

    • Input: internal: true
    • Envoy Processing: Sees string "true".
    • Result: Match found. Request Denied.

  2. Exploit Request (Bypassed):

    • Input: 
      internal: true
internal: true
    • Envoy Processing: Concatenates values into "true,true".
    • Matcher Evaluation: Does "true,true" equal "true"? No.
    • Result: The Deny rule fails to trigger. Request Allowed.

3. Implications

  • RBAC Bypass: Remote attackers can bypass configured access controls.
  • Unauthorized Access: Sensitive internal resources or administrative endpoints protected by header-based Deny rules become accessible.
  • Risk: High, particularly for deployments relying on "Exact Match" strategies for security blocking.

4. Reproduction Steps

To verify this vulnerability:

  1. Deploy Envoy: Configure an instance with an RBAC Deny rule that performs an exact match on a specific header (e.g., internal: true).
  2. Baseline Test: Send a request containing the header internal: true.
    • Observation: Envoy blocks this request (HTTP 403).
  3. Exploit Test: Send a second request containing the same header twice: 
    GET /restricted-resource HTTP/1.1
Host: example.com
internal: true
internal: true
    • Observation: Envoy allows the request, granting access to the resource.

6. Recommendations

Fix Header Validation Logic:
Modify the RBAC filter to validate each header value instance individually. Avoid relying on the concatenated string output of getAllOfHeaderAsString() for security-critical matching unless the matcher is explicitly designed to parse comma-separated lists.

** Examine the DENY role to use a Regex style fix.

Credit: Dor Konis

References

@phlax phlax published to envoyproxy/envoy Mar 10, 2026
Published to the GitHub Advisory Database Mar 10, 2026
Reviewed Mar 10, 2026
Published by the National Vulnerability Database Mar 10, 2026
Last updated Mar 10, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(0th percentile)

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-26308

GHSA ID

GHSA-ghc4-35x6-crw5

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.