Envoy Gateway CVE-2026-53713
CRITICALSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Attacker needs policy-authoring rights so PR:L, delivered via K8s API (AV:N/AC:L); stolen credentials reach separate API/XDS systems justifying S:C with dominant confidentiality impact (C:H).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The to_absolute_normalized_path function (security.lua:28-43) does not collapse redundant path separators (// → /). On Linux, //etc/passwd is equivalent to /etc/passwd (POSIX path semantics), but is_critical_path fails to match the double-slash variant because //etc/passwd does not start with /etc/.
This allows Lua code submitted as an EnvoyExtensionPolicy to read arbitrary files from the gateway controller pod's filesystem during Strict validation (the default), including:
/etc/passwd- Kubernetes SA tokens via
//var/run/secrets/kubernetes.io/serviceaccount/token - TLS certificates via
//certs/... - Process environment via
//proc/self/environ
These credentials can be used to read sensitive information from the K8s API Server or from the Gateway XDS server.
Patches
This has been patched in versions >= v1.7.4 and v1.8.1
- Collapse redundant path separators (
//to/) so double-slash variants like//etc/passwdand//var/run/secrets/...are matched by the critical-path check. - Rewrite the traversal check to reject any
.or..segment in any position and across both separator styles (catches/etc/./passwd,./etc/passwd,/etc/.).
Workarounds
Please refer to the Warning section in Lua docs for measures to reduce risk.
Credits
Envoy Gateway thanks @dashingDragon and @Donjon-Cerberus for reporting this issue.
Articles & Coverage 1
AnalysisAI
Arbitrary file disclosure in Envoy Gateway's controller allows a low-privileged tenant who can create an EnvoyExtensionPolicy to read sensitive files from the gateway controller pod. A path-normalization gap in the security.lua critical-path check (CWE-20) lets attacker-supplied Lua bypass the read restriction using double-slash paths (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to submit an EnvoyExtensionPolicy containing Lua to the cluster (Kubernetes RBAC create/update rights on that CRD), and the target must be running the default Strict validation mode where the Lua is executed by the controller during validation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L scores 9.1, driven by high confidentiality impact and a changed scope - stolen SA tokens and XDS credentials pivot to the Kubernetes API server and Gateway XDS, systems distinct from the vulnerable pod. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding RBAC permission to create EnvoyExtensionPolicy objects submits a Lua script that opens //var/run/secrets/kubernetes.io/serviceaccount/token, bypassing the Strict-validation critical-path guard via the double-slash form. During validation the script executes in the controller pod, exfiltrates the service-account token, then reuses it against the Kubernetes API server or XDS to read further secrets. … |
| Remediation | Vendor-released patch: upgrade to Envoy Gateway v1.7.4 (1.7.x branch) or v1.8.1 (1.8.x branch) or later, which collapse redundant '//' separators before the critical-path check and reject any '.' or '..' segment in any position across both separator styles. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit RBAC policies to restrict EnvoyExtensionPolicy creation to trusted administrative users only, and inventory all Envoy Gateway deployments in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wcrf-9vrr-854f