PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41246 Projectcontour CVE debrief

CVE-2026-41246 is a high-severity vulnerability in Contour, a Kubernetes ingress controller using Envoy proxy. The vulnerability exists in the Cookie Rewriting feature, which is internally implemented using Envoy's HTTP Lua filter. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value, resulting in arbitrary code execution in the Envoy proxy. The injected code can read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

Vendor
Projectcontour
Product
Contour
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-23
Original CVE updated
2026-06-30
Advisory published
2026-04-23
Advisory updated
2026-06-30

Who should care

Users of Contour, a Kubernetes ingress controller, should be aware of this vulnerability if they have RBAC permissions to create or modify HTTPProxy resources. This includes cluster administrators, security teams, and developers who manage Kubernetes infrastructure. Affected versions are from v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6.

Technical summary

The vulnerability exists in Contour's Cookie Rewriting feature, which uses Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. An attacker can inject Lua code, leading to arbitrary code execution in the Envoy proxy when processing traffic on their own route. The injected code can access sensitive information or disrupt service for other tenants. The vulnerability is characterized by a CVSS score of 8.1 and a CVSS severity of HIGH.

Defensive priority

This vulnerability has a high CVSS score of 8.1 and can lead to arbitrary code execution, making it a high-priority issue for defenders. Immediate action is recommended to upgrade to a patched version of Contour.

Recommended defensive actions

  • Upgrade to Contour version 1.33.4, 1.32.5, or 1.31.6, or later.
  • Restrict RBAC permissions to prevent unauthorized creation or modification of HTTPProxy resources.
  • Monitor Contour logs for suspicious activity.
  • Implement additional security measures, such as network segmentation and access controls, to limit the impact of a potential exploit.
  • Review and update incident response plans to address potential Lua code injection attacks.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. The source item URL provides additional metadata about the CVE. Vendor references include release notes for patched versions and a security advisory from GitHub.

Official resources

This article is AI-assisted and based on the supplied source corpus.