EXECUTIVE SUMMARY:
CVE-2026-41246 with a CVSS score of 8.1 is a vulnerability in the Contour Kubernetes ingress controller using Envoy proxy, caused by a Lua code injection flaw in the Cookie Rewriting feature. The issue arises from improper handling of user-controlled input within HTTPProxy resource configurations, where malicious values injected into cookie rewrite path parameters are directly processed within Lua scripts. An attacker with RBAC permissions to create or modify HTTPProxy resources can exploit this flaw by supplying crafted payloads in cookie rewrite configuration fields, leading to arbitrary code execution within the Envoy proxy runtime. Successful exploitation enables the attacker to execute code in the proxy environment, potentially allowing access to sensitive data such as xDS client credentials stored on the filesystem, and enabling denial of service conditions affecting other tenants sharing the same Envoy instance. The vulnerability can be exploited remotely with low attack complexity, requires no user interaction, and only low-level privileges, making it particularly dangerous in shared or multi-tenant Kubernetes environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41246 with a CVSS score of 8.1 is a vulnerability in the Contour Kubernetes ingress controller using Envoy proxy, caused by a Lua code injection flaw in the Cookie Rewriting feature. The issue arises from improper handling of user-controlled input within HTTPProxy resource configurations, where malicious values injected into cookie rewrite path parameters are directly processed within Lua scripts. An attacker with RBAC permissions to create or modify HTTPProxy resources can exploit this flaw by supplying crafted payloads in cookie rewrite configuration fields, leading to arbitrary code execution within the Envoy proxy runtime. Successful exploitation enables the attacker to execute code in the proxy environment, potentially allowing access to sensitive data such as xDS client credentials stored on the filesystem, and enabling denial of service conditions affecting other tenants sharing the same Envoy instance. The vulnerability can be exploited remotely with low attack complexity, requires no user interaction, and only low-level privileges, making it particularly dangerous in shared or multi-tenant Kubernetes environments.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update github.com/projectcontour/contour to version 1.31.6, 1.32.5 or 1.33.4 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-x4mj-7f9g-29h4