GHSA-9f29-v6mm-pw6w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9f29-v6mm-pw6w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-9f29-v6mm-pw6w/GHSA-9f29-v6mm-pw6w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9f29-v6mm-pw6w
- Aliases
- Related
- Published
- 2026-02-18T15:25:04Z
- Modified
- 2026-02-24T22:14:03.362286Z
- Severity
-
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path
- Details
-
A security vulnerability has been discovered in how the
input.parsed_pathfield is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served.Attack example
HTTP request:
GET //admin/users HTTP/1.1 Host: example.comPolicy sees:
The leading
//adminpath segment is interpreted as an authority component, and dropped frominput.parsed_pathfield:{ "parsed_path": ["users"] }Backend receives:
//admin/userspath, normalized to/admin/users.Affected Request Pattern Examples
| Request path |
input.parsed_path|input.attributes.request.http.path| Discrepancy | | - | - | - | - | | / | [""] | / | ✅ None | | //foo | [""] | //foo| ❌ Mismatch | | /admin | ["admin"] | /admin | ✅ None | | /admin/users | ["admin", "users"] | /admin/users | ✅ None | | //admin/users | ["users"] | //admin/users | ❌ Mismatch |Impact
Users are impacted if all the following conditions apply:
- Protected resources are path-hierarchical (e.g.,
/admin/usersvs/users) - Authorization policies use
input.parsed_pathfor path-based decisions - Backend servers apply lenient path normalization
Patches
Go:
v1.13.2-envoy-2Docker:1.13.2-envoy-2,1.13.2-envoy-2-staticWorkarounds
Users who cannot immediately upgrade opa-envoy-plugin are recommended to apply one, or more, of the workarrounds described below.
1. Enable the
merge_slashesEnvoy configuration optionAs per Envoy best practices, enabling the merge_slashes configuration option in Envoy will remove redundant slashes from the request path before filtering is applied, effectively mitigating the
input.parsed_pathissue described in this advisory.2. Use
input.attributes.request.http.pathinstead ofinput.parsed_pathin policiesThe
input.attributes.request.http.pathfield contains the unprocessed, raw request path. Users are recommended to update any policy usinginput.parsed_pathto instead use theinput.attributes.request.http.pathfield.Example
package example # Use instead of input.parsed_path parsed_path := split( # tokenize into array trim_left( # drop leading slashes urlquery.decode(input.attributes.request.http.path), # url-decode the path "/", ), "/", ) - Protected resources are path-hierarchical (e.g.,
- Database specific
{ "cwe_ids": [ "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "nvd_published_at": "2026-02-19T20:25:43Z", "github_reviewed_at": "2026-02-18T15:25:04Z" }- References
-
- https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w
- https://nvd.nist.gov/vuln/detail/CVE-2026-26205
- https://github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3
- https://github.com/open-policy-agent/opa-envoy-plugin
- https://github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2
Affected packages
Go / github.com/open-policy-agent/opa-envoy-plugin
Package
- Name
- github.com/open-policy-agent/opa-envoy-plugin
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/open-policy-agent/opa-envoy-plugin