Skip to main content

Envoy EUVDEUVD-2026-39822

| CVE-2026-48743 HIGH
HTTP Request/Response Smuggling (CWE-444)
2026-06-26 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable and unauthenticated (AV:N/PR:N); AC:H for the upstream early-response/connection-reuse race; scope change (S:C) as a separate backend connection is desynced; I:H for request injection/route bypass, C:L, A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 19:02 EUVD
Analysis Generated
Jun 26, 2026 - 18:32 vuln.today

DescriptionCVE.org

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.

AnalysisAI

HTTP request smuggling in Envoy proxy (versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1) lets remote attackers desynchronize HTTP/1 upstream connections by sending an HTTP/3 downstream request that is transport-complete (HEADERS with FIN) yet declares a nonzero Content-Length, leaving the translated HTTP/1 request with unresolved body debt. When the HTTP/1 origin replies before reading the body and keeps the connection reusable, the start of Envoy's next upstream request is consumed as the prior request's body, and the remainder is parsed by the origin as a separate, attacker-controlled request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Envoy HTTP/3 listener
Delivery
Send FIN-complete request with nonzero Content-Length
Exploit
Envoy emits HTTP/1 upstream request with body debt
Execution
Smuggled bytes consumed as next request by origin
Persist
Origin parses injected GET /pwn
Impact
Route/authorization bypass response returned to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires Envoy deployed with a downstream HTTP/3 listener forwarding to an HTTP/1 (HTTP/1.1) upstream, and an origin server that replies before reading the declared request body while keeping the connection reusable (keep-alive). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS:3.1 vector (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N, base 7.5) reflects a network-reachable, unauthenticated attack with high complexity, a scope change (Envoy desyncs a separate backend connection), high integrity impact (request injection/route bypass), low confidentiality impact, and no availability impact - a coherent profile for a smuggling/desync bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP/3 request to an Envoy listener that is headers-only/FIN-complete but declares a nonzero Content-Length, causing Envoy to emit an HTTP/1 request with an unsatisfied body to a reusable upstream connection. Because the origin answers before reading the body, the attacker's smuggled bytes (e.g. …
Remediation Upgrade to the patched release for your branch: Vendor-released patch versions are 1.35.11, 1.36.7, 1.37.3, or 1.38.1 (apply the one matching your current minor line) as documented in GHSA-8phg-2h2q-jgxf (https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Catalog all Envoy proxy deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Envoy

View all
CVE-2023-27488 CRITICAL POC
9.8 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.8

CVE-2019-18802 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2019-18801 CRITICAL POC
9.8 Dec 13

An issue was discovered in Envoy 1.12.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2023-27493 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27491 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2023-27487 CRITICAL POC
9.1 Apr 04

Envoy is an open source edge and service proxy designed for cloud-native applications. Rated critical severity (CVSS 9.1

CVE-2020-25017 HIGH POC
8.3 Oct 01

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Rated

CVE-2019-9900 HIGH POC
8.3 Apr 25

When parsing HTTP/1.x header values, Envoy 1.9.0 and before does not reject embedded zero characters (NUL, ASCII 0x0). R

CVE-2026-26308 HIGH POC
7.5 Mar 10

Envoy's RBAC filter improperly concatenates duplicate HTTP headers into comma-separated strings instead of validating ea

CVE-2024-53270 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-53269 HIGH POC
7.5 Dec 18

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2024-45810 HIGH POC
7.5 Sep 20

Envoy is a cloud-native high-performance edge/middle/service proxy. Rated high severity (CVSS 7.5), this vulnerability i

Share

EUVD-2026-39822 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy