PatchSiren

Projectcontour CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Projectcontour CVE published 2026-04-23

CVE-2026-41246

CVE-2026-41246 is a high-severity vulnerability in Contour, a Kubernetes ingress controller using Envoy proxy. The vulnerability exists in the Cookie Rewriting feature, which is internally implemented using Envoy's HTTP Lua filter. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[ [truncated]