NIXPKGS-2026-0585

GitHub issue published on

Permalink CVE-2026-26308

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 month, 2 weeks ago by @mweinelt Activity log

Created automatic suggestion 1 month, 2 weeks ago
@mweinelt ignored
11 packages
- opa-envoy-plugin
- python312Packages.envoy-utils
- python313Packages.envoy-utils
- python314Packages.envoy-utils
- python312Packages.envoy-reader
- python313Packages.envoy-reader
- python314Packages.envoy-reader
- python313Packages.envoy-data-plane
- python314Packages.envoy-data-plane
- home-assistant-component-tests.enphase_envoy
- tests.home-assistant-component-tests.enphase_envoy
1 month, 2 weeks ago
@mweinelt accepted 1 month, 2 weeks ago
@mweinelt published on GitHub 1 month, 2 weeks ago

Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 x_refsource_CONFIRM
https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867 x_refsource_MISC

Affected products

envoy

==>= 1.35.0, < 1.35.9
==>= 1.37.0, < 1.37.1
==< 1.34.13
==>= 1.36.0, < 1.36.5

Matching in nixpkgs

pkgs.envoy

Cloud-native edge and service proxy

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.2
- nixos-25.11-small 1.36.2
- nixpkgs-25.11-darwin 1.36.2

pkgs.envoy-bin

Cloud-native edge and service proxy

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.4
- nixos-25.11-small 1.36.4
- nixpkgs-25.11-darwin 1.36.4

Ignored packages (11)

pkgs.opa-envoy-plugin

A plugin to enforce OPA policies with Envoy

nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
nixos-25.11 1.10.0-envoy
- nixos-25.11-small 1.10.0-envoy
- nixpkgs-25.11-darwin 1.10.0-envoy

pkgs.python312Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python313Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1
nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python314Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1

pkgs.python312Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python313Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3
nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python314Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@lukegb Luke Granger-Brown <nix@lukegb.com>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@katexochen Paul Meyer <katexochen0@gmail.com>

https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5
https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0585

References

Affected products

Matching in nixpkgs

pkgs.envoy

pkgs.envoy-bin

pkgs.opa-envoy-plugin

pkgs.python312Packages.envoy-utils

pkgs.python313Packages.envoy-utils

pkgs.python314Packages.envoy-utils

pkgs.python312Packages.envoy-reader

pkgs.python313Packages.envoy-reader

pkgs.python314Packages.envoy-reader

pkgs.python313Packages.envoy-data-plane

pkgs.python314Packages.envoy-data-plane

pkgs.home-assistant-component-tests.enphase_envoy

pkgs.tests.home-assistant-component-tests.enphase_envoy

Package maintainers