Skip to main content

Envoy Gateway CVE-2026-53718

MEDIUM
Missing Authorization (CWE-862)
2026-07-16 https://github.com/envoyproxy/gateway GHSA-fcrp-7gc2-93g7
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
6.4 MEDIUM

PR:L reflects required HTTPRoute write rights; AC:H reflects extension-managed custom backendRef precondition; C:H for unauthorized cross-namespace backend access; S:U as scope remains within the Envoy Gateway deployment.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 19:31 vuln.today
Analysis Generated
Jul 16, 2026 - 19:31 vuln.today

DescriptionGitHub Advisory

Impact

Envoy Gateway accepts extension-managed custom backendRefs from an HTTPRoute to a backend resource in another namespace without requiring a matching Gateway API ReferenceGrant in the target namespace. This breaks the Gateway API cross-namespace consent model: the namespace that owns the referenced backend resource does not need to opt in with a ReferenceGrant before another namespace’s HTTPRoute can use that resource.

Patches

1.7.4 1.8.1

AnalysisAI

Cross-namespace authorization bypass in Envoy Gateway allows an authenticated user with HTTPRoute creation rights to route traffic to backend resources in foreign namespaces without the required Gateway API ReferenceGrant consent from the target namespace owner. Affected versions span all releases before 1.7.4 and the 1.8.x line before 1.8.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain HTTPRoute write access in tenant namespace
Delivery
Identify target backend resource in foreign namespace
Exploit
Craft HTTPRoute with extension-managed custom backendRef to foreign namespace
Execution
Submit HTTPRoute bypassing ReferenceGrant enforcement
Persist
Envoy data plane routes traffic to unauthorized backend
Impact
Exfiltrate data from foreign namespace backend

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must hold Kubernetes RBAC rights to create or modify HTTPRoute resources in at least one namespace - this maps directly to PR:L in the CVSS vector; (2) Envoy Gateway must be configured with an extension that introduces custom backendRef types, as the bypass only affects extension-managed custom backendRefs and not standard Gateway API backendRefs; and (3) a target backend resource must exist in a different namespace that the attacker wishes to access without authorization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L) reflects the realistic exploitation profile well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to HTTPRoute resources in a low-privilege tenant namespace crafts an HTTPRoute that uses an extension-managed custom backendRef pointing to a sensitive backend service (e.g., an internal database proxy or secrets API) in a separate, higher-trust namespace. Because Envoy Gateway omits the ReferenceGrant check for this custom backendRef type, the control plane programs the Envoy data plane to forward matching traffic to the unauthorized backend without the target namespace owner ever consenting. …
Remediation The primary remediation is upgrading Envoy Gateway to version 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments), available at https://github.com/envoyproxy/gateway/releases/tag/v1.7.4 and https://github.com/envoyproxy/gateway/releases/tag/v1.8.1 respectively. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy