Skip to main content

Envoy CVE-2026-6994

| EUVDEUVD-2026-25670 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-25 cna@vuldb.com
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 25, 2026 - 19:30 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 19:22 euvd
EUVD-2026-25670
Analysis Generated
Apr 25, 2026 - 19:22 vuln.today
CVE Published
Apr 25, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.

AnalysisAI

Code injection in Envoy up to 1.33.0 via improper query parameter handling in the Header Mutation filter allows authenticated remote attackers to inject arbitrary code through the params.add function, resulting in limited confidentiality and integrity impact. The CVSS 5.3 score reflects the requirement for prior authentication and limited scope of impact, though the injection vector in a core HTTP filtering component warrants prompt patching.

Technical ContextAI

Envoy is a Layer 7 proxy and communication bus designed for large modern service-oriented architectures. The vulnerability resides in the Header Mutation HTTP filter (source/extensions/filters/http/header_mutation/header_mutation.cc), specifically in the params.add function which processes query parameters. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that query parameter values are not properly sanitized before being used in downstream contexts, enabling injection attacks. The Header Mutation filter is responsible for modifying HTTP headers based on configured rules, and improper handling of query parameters during this process allows attackers to break out of intended parameter boundaries and inject malicious content.

RemediationAI

Upgrade Envoy to a patched version after 1.33.0 that incorporates commit f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4 (verify against GitHub PR 43502 for the exact release). Until patching is possible, restrict network access to Envoy proxy configuration endpoints to trusted administrators only, and audit query parameter rules in Header Mutation filter configurations for suspicious patterns or exfiltration clauses. Consider disabling the Header Mutation filter entirely if not actively used, as it adds processing overhead and provides a vector for parameter-based injection; the trade-off is loss of header modification capabilities for affected traffic policies. Monitor logs for unusual query parameter patterns or proxy configuration modifications that might indicate exploitation attempts.

Vendor StatusVendor

Share

CVE-2026-6994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy