Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41246
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-23 Apr, 2026 | 18:44
Updated At-30 Jun, 2026 | 12:08
Rejected At-
▼CVE Numbering Authority (CNA)
Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

Affected Products
Vendor
projectcontour
Product
contour
Versions
Affected
  • >= 1.33.0, < 1.33.4
  • >= 1.32.0, < 1.32.5
  • >= 1.19.0, < 1.31.6
Problem Types
TypeCWE IDDescription
CWECWE-94CWE-94: Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/projectcontour/contour/security/advisories/GHSA-x4mj-7f9g-29h4
x_refsource_CONFIRM
https://github.com/projectcontour/contour/releases/tag/v1.31.6
x_refsource_MISC
https://github.com/projectcontour/contour/releases/tag/v1.32.5
x_refsource_MISC
https://github.com/projectcontour/contour/releases/tag/v1.33.4
x_refsource_MISC
Hyperlink: https://github.com/projectcontour/contour/security/advisories/GHSA-x4mj-7f9g-29h4
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/projectcontour/contour/releases/tag/v1.31.6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/projectcontour/contour/releases/tag/v1.32.5
Resource:
x_refsource_MISC
Hyperlink: https://github.com/projectcontour/contour/releases/tag/v1.33.4
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. Contour: Envoy: github.com/projectcontour/contour: Contour: Arbitrary Code Execution and Denial of Service via Lua Code Injection

A flaw was found in Contour, a Kubernetes ingress controller. An attacker with Role-Based Access Control (RBAC) permissions to manage HTTPProxy resources can exploit a Lua code injection vulnerability within Contour's Cookie Rewriting feature. By crafting a malicious value in specific configuration fields, the attacker can achieve arbitrary code execution in the Envoy proxy. This could allow them to read sensitive credentials from the filesystem or cause a denial of service for other users sharing the Envoy instance.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
ExternalDNS Operator
CPEs
  • cpe:/a:redhat:ext_dns_optr:1
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-94Improper Control of Generation of Code ('Code Injection')
Type: CWE
CWE ID: CWE-94
Description: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Metrics Other Info
Red Hat severity rating
value:
Important
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Reported to Red Hat.2026-04-23 20:01:47
Made public.2026-04-23 18:44:39
Event: Reported to Red Hat.
Date: 2026-04-23 20:01:47
Event: Made public.
Date: 2026-04-23 18:44:39
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-41246
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2461257
issue-tracking
x_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41246.json
x_sadp-csaf-vex
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-41246
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2461257
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41246.json
Resource:
x_sadp-csaf-vex
Details not found