Description

opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.

INFO

Published Date :

2026-02-19T19:31:26.905Z

Last Modified :

2026-02-19T21:22:21.384Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26205 vulnerability.

Vendors Products
Open-policy-agent
  • Opa-envoy-plugin
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26205.

URL Resource
https://github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3 cve-icon cve-icon
https://github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2 cve-icon cve-icon
https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability