GHSA-g3xr-5w5j-w4q4

Suggest an improvement
Source
https://github.com/advisories/GHSA-g3xr-5w5j-w4q4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-g3xr-5w5j-w4q4/GHSA-g3xr-5w5j-w4q4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g3xr-5w5j-w4q4
Aliases
  • CVE-2026-50149
Published
2026-07-02T17:15:20Z
Modified
2026-07-02T17:30:11.986096756Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Contour has Improper JWT Verification for Non-SNI Requests on Virtual Hosts with Fallback Certificate Enabled
Details

Impact

When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any HTTPProxy FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token.

To list all HTTPProxies with this invalid configuration, run

kubectl get httpproxies -A -o json | jq -r '
  .items[]
  | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders)
  | "Invalid HTTPProxy found: \(.metadata.namespace)/\(.metadata.name)"
'

Patches

This issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any HTTPProxy resources that combine .spec.virtualhost.tls.enableFallbackCertificate: true with .spec.virtualhost.jwtProviders. Affected resources will receive a status condition with the error reason TLSIncompatibleFeatures.

Workarounds

Do not enable .spec.virtualhost.tls.enableFallbackCertificate on HTTPProxy resources that also define .spec.virtualhost.jwtProviders. Remove one of the two settings to avoid the invalid configuration.

References

  • Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate
  • Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/
Database specific
{
    "github_reviewed_at": "2026-07-02T17:15:20Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Go / github.com/projectcontour/contour

Package

Name
github.com/projectcontour/contour
View open source insights on deps.dev
Purl
pkg:golang/github.com/projectcontour/contour

Affected ranges

Type
SEMVER
Events
Introduced
1.23.0
Fixed
1.33.5

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-g3xr-5w5j-w4q4/GHSA-g3xr-5w5j-w4q4.json"