CVE-2026-47775 Envoyproxy CVE debrief

Who should care

Users of Envoy, particularly those using the OAuth2 HTTP filter, should be aware of this vulnerability. Affected versions include Envoy 1.35.0 to 1.35.10, 1.36.0 to 1.36.6, 1.37.0 to 1.37.2, and 1.38.0. Upgrading to Envoy 1.35.11, 1.36.7, 1.37.3, or 1.38.1 or later will mitigate the issue.

Technical summary

The OAuth2 HTTP filter in Envoy uses AES-256-CBC for encryption and decryption without an authentication tag. This implementation creates a padding oracle vulnerability. An attacker who obtains the encrypted CodeVerifier cookie can exploit this vulnerability to recover the plaintext PKCE code_verifier in approximately 6,200 requests. With the recovered code_verifier, the attacker can exchange it with a stolen authorization code to obtain the victim's access token. The vulnerability is due to the lack of HMAC or AEAD in the encryption process.

Defensive priority

This vulnerability should be prioritized for remediation due to its MEDIUM severity and potential impact on access token security. Affected Envoy instances should be upgraded to a patched version as soon as possible.

Recommended defensive actions

• Upgrade Envoy to version 1.35.11, 1.36.7, 1.37.3, or 1.38.1 or later.
• Review and update access control and authentication mechanisms for the OAuth2 filter.
• Monitor for suspicious activity related to the OAuth2 filter and access token requests.
• Consider implementing additional security measures such as token blacklisting or revocation.
• Verify that all instances of Envoy are running a patched version.

Evidence notes

The CVE-2026-47775 vulnerability was identified in Envoy's OAuth2 HTTP filter. The issue arises from the use of AES-256-CBC without an authentication tag, leading to a padding oracle vulnerability. The CVE was published on June 26, 2026, and modified on June 29, 2026. The vulnerability affects Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

Official resources