CVE-2026-41246 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 23, 2026
Contour - Command Injection
Published: April 23, 2026Updated: April 23, 2026Remote Exploitable
Overview
Contour v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6 contains a command injection caused by insufficient sanitization of user-controlled values in cookie rewriting Lua scripts, letting attackers with RBAC permissions execute arbitrary code in Envoy proxy, exploit requires attacker control over HTTPProxy resources.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers with RBAC can execute arbitrary code in Envoy, read sensitive credentials, or cause denial of service affecting shared infrastructure.
Mitigation
Upgrade to versions v1.33.4, v1.32.5, or v1.31.6 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-41246
- Severity
- High
- CVSS Score
- 8.1
- Type
- command_injection
- Status
- new
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H