CVE-2026-26205
Description
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/open-policy-agent/opa-envoy-pluginGo | < 1.13.2-envoy-2 | 1.13.2-envoy-2 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/opa-envoypkg:apk/chainguard/opa-fips-envoypkg:apk/wolfi/opa-envoypkg:golang/github.com/open-policy-agent/opa-envoy-pluginpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.13.2_p2-r0+ 4 more
- (no CPE)range: < 1.13.2_p2-r0
- (no CPE)range: < 1.13.2_p2-r0
- (no CPE)range: < 1.13.2_p2-r0
- (no CPE)range: < 1.13.2-envoy-2
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9f29-v6mm-pw6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26205ghsaADVISORY
- github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3nvdWEB
- github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2nvdWEB
- github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6wnvdWEB
News mentions
0No linked articles in our index yet.