Envoy Gateway CVE-2026-53718
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
PR:L reflects required HTTPRoute write rights; AC:H reflects extension-managed custom backendRef precondition; C:H for unauthorized cross-namespace backend access; S:U as scope remains within the Envoy Gateway deployment.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
Envoy Gateway accepts extension-managed custom backendRefs from an HTTPRoute to a backend resource in another namespace without requiring a matching Gateway API ReferenceGrant in the target namespace. This breaks the Gateway API cross-namespace consent model: the namespace that owns the referenced backend resource does not need to opt in with a ReferenceGrant before another namespace’s HTTPRoute can use that resource.
Patches
AnalysisAI
Cross-namespace authorization bypass in Envoy Gateway allows an authenticated user with HTTPRoute creation rights to route traffic to backend resources in foreign namespaces without the required Gateway API ReferenceGrant consent from the target namespace owner. Affected versions span all releases before 1.7.4 and the 1.8.x line before 1.8.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the attacker must hold Kubernetes RBAC rights to create or modify HTTPRoute resources in at least one namespace - this maps directly to PR:L in the CVSS vector; (2) Envoy Gateway must be configured with an extension that introduces custom backendRef types, as the bypass only affects extension-managed custom backendRefs and not standard Gateway API backendRefs; and (3) a target backend resource must exist in a different namespace that the attacker wishes to access without authorization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 6.4 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L) reflects the realistic exploitation profile well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with write access to HTTPRoute resources in a low-privilege tenant namespace crafts an HTTPRoute that uses an extension-managed custom backendRef pointing to a sensitive backend service (e.g., an internal database proxy or secrets API) in a separate, higher-trust namespace. Because Envoy Gateway omits the ReferenceGrant check for this custom backendRef type, the control plane programs the Envoy data plane to forward matching traffic to the unauthorized backend without the target namespace owner ever consenting. … |
| Remediation | The primary remediation is upgrading Envoy Gateway to version 1.7.4 (for 1.7.x deployments) or 1.8.1 (for 1.8.x deployments), available at https://github.com/envoyproxy/gateway/releases/tag/v1.7.4 and https://github.com/envoyproxy/gateway/releases/tag/v1.8.1 respectively. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fcrp-7gc2-93g7