PatchSiren cyber security CVE debrief
CVE-2026-41246 Projectcontour CVE debrief
CVE-2026-41246 is a high-severity vulnerability in Contour, a Kubernetes ingress controller using Envoy proxy. The vulnerability exists in the Cookie Rewriting feature, which is internally implemented using Envoy's HTTP Lua filter. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value, resulting in arbitrary code execution in the Envoy proxy. The injected code can read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.
- Vendor
- Projectcontour
- Product
- Contour
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-23
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-23
- Advisory updated
- 2026-06-30
Who should care
Users of Contour, a Kubernetes ingress controller, should be aware of this vulnerability if they have RBAC permissions to create or modify HTTPProxy resources. This includes cluster administrators, security teams, and developers who manage Kubernetes infrastructure. Affected versions are from v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6.
Technical summary
The vulnerability exists in Contour's Cookie Rewriting feature, which uses Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. An attacker can inject Lua code, leading to arbitrary code execution in the Envoy proxy when processing traffic on their own route. The injected code can access sensitive information or disrupt service for other tenants. The vulnerability is characterized by a CVSS score of 8.1 and a CVSS severity of HIGH.
Defensive priority
This vulnerability has a high CVSS score of 8.1 and can lead to arbitrary code execution, making it a high-priority issue for defenders. Immediate action is recommended to upgrade to a patched version of Contour.
Recommended defensive actions
- Upgrade to Contour version 1.33.4, 1.32.5, or 1.31.6, or later.
- Restrict RBAC permissions to prevent unauthorized creation or modification of HTTPProxy resources.
- Monitor Contour logs for suspicious activity.
- Implement additional security measures, such as network segmentation and access controls, to limit the impact of a potential exploit.
- Review and update incident response plans to address potential Lua code injection attacks.
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. The source item URL provides additional metadata about the CVE. Vendor references include release notes for patched versions and a security advisory from GitHub.
Official resources
-
CVE-2026-41246 CVE record
CVE.org
-
CVE-2026-41246 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.