CVE-2026-26205
Description
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/open-policy-agent/opa-envoy-pluginGo | < 1.13.2-envoy-2 | 1.13.2-envoy-2 |
Affected products
1Patches
158c44d4ec408Merge commit from fork
2 files changed · +23 −3
envoyauth/request.go+8 −3 modified@@ -112,14 +112,19 @@ func RequestToInput(req any, logger logging.Logger, protoSet *protoregistry.File } func getParsedPathAndQuery(path string) ([]string, map[string]any, error) { - parsedURL, err := url.Parse(path) + rawPath, rawQuery, _ := strings.Cut(path, "?") + + decodedPath, err := url.PathUnescape(rawPath) if err != nil { return nil, nil, err } - parsedPath := strings.Split(strings.TrimLeft(parsedURL.Path, "/"), "/") + parsedPath := strings.Split(strings.TrimLeft(decodedPath, "/"), "/") - query := parsedURL.Query() + query, err := url.ParseQuery(rawQuery) + if err != nil { + return nil, nil, err + } parsedQueryInterface := make(map[string]any, len(query)) for paramKey, paramValues := range query { parsedQueryInterface[paramKey] = paramValues
envoyauth/request_test.go+15 −0 modified@@ -651,6 +651,21 @@ func TestParsedPathAndQuery(t *testing.T) { []string{"my", "test", "path"}, map[string]any{"a": []string{"1", "new\nline"}}, }, + { + createExtReqWithPath("//x/people"), + []string{"x", "people"}, + map[string]any{}, + }, + { + createExtReqWithPath("//admin/dashboard"), + []string{"admin", "dashboard"}, + map[string]any{}, + }, + { + createExtReqWithPath("//x/people?a=1"), + []string{"x", "people"}, + map[string]any{"a": []string{"1"}}, + }, } for _, tt := range tests {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9f29-v6mm-pw6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26205ghsaADVISORY
- github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3nvdWEB
- github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2nvdWEB
- github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6wnvdWEB
News mentions
0No linked articles in our index yet.