{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T00:04:10.245","vulnerabilities":[{"cve":{"id":"CVE-2026-26308","sourceIdentifier":"security-advisories@github.com","published":"2026-03-10T20:16:35.707","lastModified":"2026-03-11T16:23:23.090","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically \"Deny\" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."},{"lang":"es","value":"Envoy es un proxy de alto rendimiento de borde/intermedio/servicio. Antes de 1.37.1, 1.36.5, 1.35.8 y 1.34.13, el filtro RBAC (control de acceso basado en roles) de Envoy contiene una vulnerabilidad lógica en cómo valida los encabezados HTTP cuando hay múltiples valores presentes para el mismo nombre de encabezado. En lugar de validar cada valor de encabezado individualmente, Envoy concatena todos los valores en una única cadena separada por comas. Este comportamiento permite a los atacantes eludir las políticas RBAC —específicamente las reglas de 'Denegar'— enviando encabezados duplicados, ocultando eficazmente el valor malicioso de los mecanismos de coincidencia exacta. Esta vulnerabilidad está corregida en 1.37.1, 1.36.5, 1.35.8 y 1.34.13."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionEndExcluding":"1.34.13","matchCriteriaId":"C4169052-E37B-4577-8689-4DA8D6AFF3F3"},{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionStartIncluding":"1.35.0","versionEndExcluding":"1.35.8","matchCriteriaId":"35DB0A9F-BCEA-48D7-97DE-A63FA24B2032"},{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*","versionStartIncluding":"1.36.0","versionEndExcluding":"1.36.5","matchCriteriaId":"B37DDD3B-8F92-4F76-B3B1-F3743CB41339"},{"vulnerable":true,"criteria":"cpe:2.3:a:envoyproxy:envoy:1.37.0:*:*:*:*:*:*:*","matchCriteriaId":"C5266F62-E0D2-4525-90B6-65921EE14F79"}]}]}],"references":[{"url":"https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}