Home / Vulnerability Intelligence / CVE-2026-26308

CVE-2026-26308 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 11, 2026

Envoy - Broken Access Control

Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable

Overview

Envoy < 1.37.1, 1.36.5, 1.35.8, and 1.34.13 contains a broken access control caused by improper validation of multiple HTTP header values in RBAC filter, letting attackers bypass deny rules by sending duplicate headers, exploit requires sending crafted HTTP requests with duplicate headers.

Severity & Score

Severity: High

CVSS Score: 7.5

Impact

Attackers can bypass RBAC deny rules, potentially gaining unauthorized access to protected resources.

Mitigation

Upgrade to versions 1.37.1, 1.36.5, 1.35.8, or 1.34.13 or later.

References

https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26308
Severity: High
CVSS Score: 7.5
Type: broken_access_control
Status: confirmed

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N