CVE-2026-26205
- Source
- https://cve.org/CVERecord?id=CVE-2026-26205
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26205.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26205
- Aliases
- Downstream
- Related
- Published
- 2026-02-19T19:31:26.905Z
- Modified
- 2026-03-04T22:29:05.837859Z
- Severity
-
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in `input.parsed_path`
- Details
-
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the
input.parsed_pathfield is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26205.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26205.json
- https://github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3
- https://github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2
- https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w
- https://nvd.nist.gov/vuln/detail/CVE-2026-26205
Affected packages
Git / github.com/open-policy-agent/opa-envoy-plugin
Affected ranges
- Type
- GIT
- Repo
- https://github.com/open-policy-agent/opa-envoy-plugin
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.24.0-envoy-8
Other
proxy_init-v7
proxy_init-v8
v0.*
v0.10.6
v0.10.7
v0.12.0
v0.12.1
v0.13.2
v0.14.2
v0.21.0
v0.21.1
v0.22.0
v0.23.0
v0.23.1
v0.23.2
v0.24.0
v0.24.0-envoy-1
v0.24.0-envoy-11
v0.24.0-envoy-3
v0.24.0-envoy-4
v0.24.0-envoy-5
v0.24.0-envoy-7
v0.24.0-envoy-8
v0.25.0-envoy
v0.25.1-envoy
v0.25.2-envoy
v0.25.2-envoy-3
v0.26.0-envoy
v0.26.0-envoy-2
v0.26.0-envoy-6
v0.27.0-envoy
v0.27.0-envoy-4
v0.27.0-envoy-5
v0.27.1-envoy
v0.28.0-envoy
v0.29.1-envoy
v0.29.4-envoy-2
v0.29.4-envoy-3
v0.30.1-envoy
v0.30.1-envoy-5
v0.30.2-envoy-1
v0.31.0-envoy
v0.32.0-envoy-4
v0.32.1-envoy-1
v0.33.1-envoy-2
v0.33.1-envoy-3
v0.34.0-envoy
v0.34.2-envoy
v0.35.0-envoy
v0.35.0-envoy-1
v0.35.0-envoy-7
v0.36.0-envoy
v0.36.1-envoy
v0.37.1-envoy
v0.37.2-envoy
v0.38.0-envoy
v0.38.1-envoy-3
v0.39.0-envoy
v0.40.0-envoy
v0.41.0-envoy
v0.42.0-envoy
v0.42.1-envoy
v0.43.0-envoy
v0.44.0-envoy
v0.45.0-envoy
v0.45.0-envoy-10
v0.46.1
v0.46.1-envoy
v0.47.0-envoy
v0.47.2-envoy
v0.47.3-envoy
v0.47.4-envoy
v0.48.0-envoy
v0.49.0-envoy
v0.49.1-envoy
v0.49.2-envoy
v0.50.0-envoy-1
v0.50.1-envoy
v0.50.2-envoy
v0.51.0-envoy
v0.52.0-envoy
v0.53.0-envoy-1
v0.53.1-envoy
v0.54.0-envoy
v0.55.0-envoy
v0.56.0-envoy
v0.56.0-envoy-3
v0.57.0-envoy
v0.57.1-envoy
v0.57.1-envoy-3
v0.58.0-envoy
v0.59.0-envoy
v0.60.0-envoy
v0.61.0-envoy
v0.62.0-envoy
v0.62.1-envoy
v0.62.1-envoy-4
v0.63.0-envoy
v0.64.0-envoy
v0.64.1-envoy
v0.65.0-envoy
v0.66.0-envoy
v0.66.0-envoy-2
v0.67.0-envoy
v0.67.1-envoy
v0.68.0-envoy
v0.68.0-envoy-2
v0.68.0-envoy-3
v0.68.0-envoy-4
v0.69.0-envoy
v0.70.0-envoy
v0.70.0-envoy-1
v1.*
v1.0.0-envoy
v1.1.0-envoy-1
v1.10.0-envoy
v1.11.0-envoy
v1.11.1-envoy-3
v1.12.0-envoy
v1.12.1-envoy
v1.12.2-envoy
v1.13.0-envoy
v1.13.1-envoy
v1.2.0-envoy-2
v1.3.0-envoy-1
v1.4.2-envoy
v1.5.0-envoy-4
v1.5.1-envoy
v1.6.0-envoy-2
v1.7.1-envoy
v1.8.0-envoy
v1.9.0-envoy