Skip to main content

Project Contour CVE-2026-50149

MEDIUM
Improper Certificate Validation (CWE-295)
2026-07-02 https://github.com/projectcontour/contour GHSA-g3xr-5w5j-w4q4
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

AV:N and PR:N because attacker needs only network access with no credentials; AC:H because the misconfiguration prerequisite must exist; C:H for full JWT bypass exposing protected upstream data; I:L for potential unauthorized writes; A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 17:51 vuln.today

DescriptionGitHub Advisory

Impact

When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any HTTPProxy FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.

To list all HTTPProxies with this invalid configuration, run

bash
kubectl get httpproxies -A -o json | jq -r '
  .items[]
  | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)
  | "Invalid HTTPProxy found: \(.metadata.namespace)/\(.metadata.name)"
'

Patches

This issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any HTTPProxy resources that combine .spec.virtualhost.tls.enableFallbackCertificate: true with .spec.virtualhost.jwtProviders. Affected resources will receive a status condition with the error reason TLSIncompatibleFeatures.

Workarounds

Do not enable .spec.virtualhost.tls.enableFallbackCertificate on HTTPProxy resources that also define .spec.virtualhost.jwtProviders. Remove one of the two settings to avoid the invalid configuration.

References

  • Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate
  • Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/

AnalysisAI

JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines spec.virtualhost.tls.enableFallbackCertificate: true with spec.virtualhost.jwtProviders. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Contour ingress endpoint
Delivery
Send TLS ClientHello omitting SNI extension
Exploit
Contour matches fallback certificate handler
Execution
JWT verification pipeline skipped
Persist
HTTP request forwarded to upstream API
Impact
Access JWT-protected resources without valid token

Vulnerability AssessmentAI

Exploitation Exploitation requires that an HTTPProxy resource in the target Kubernetes cluster is simultaneously configured with `spec.virtualhost.tls.enableFallbackCertificate: true` AND one or more entries under `spec.virtualhost.jwtProviders` - this is a non-default, operator-created misconfiguration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) is internally consistent: network-exploitable with no attacker-side privileges or user interaction required, but marked high complexity because the vulnerable condition (the specific dual-setting misconfiguration) must already exist on the target cluster. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who is aware that a target Kubernetes cluster runs Contour with a misconfigured HTTPProxy (fallback certificate plus JWT providers) initiates a TLS connection to the Contour ingress endpoint without including a TLS SNI extension - a capability trivially available in tools like `openssl s_client -noservername`. Contour's fallback certificate handler matches the connection, and because the JWT verification layer is bypassed for fallback-matched requests, the attacker's HTTP request is forwarded to the protected upstream API without a valid bearer token, gaining unauthorized access to the service. …
Remediation Upgrade Contour to v1.33.5, which is the vendor-released patch for this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy