(Contour), Lua code injection, CVE-2026-41246 (High)

Listen to this Post

Vulnerability (CVE-2026-41246): From v1.19.0 to before v1.33.4/v1.32.5/v1.31.6, Contour’s Cookie Rewriting feature—which uses Envoy’s Lua filter—interpolates user‑controlled values into Lua source code with Go’s `text/template` without sanitization. An attacker with RBAC permissions to create/modify HTTPProxy resources can inject malicious Lua into the `pathRewrite.value` fields of `spec.routes[].cookieRewritePolicies[]` or spec.routes[].services[].cookieRewritePolicies[]. Although the code executes only on the attacker’s own route, the shared Envoy infrastructure allows the injected code to read Envoy’s xDS client credentials (potentially exposing TLS certificates/private keys of other tenants) and cause denial of service for other tenants. Other Lua filter uses are unaffected. Fixed in v1.33.4 (requires Envoy 1.35.0+), v1.32.5, and v1.31.6; no workarounds—upgrade is mandatory.

DailyCVE Form

Platform: Contour
Version: 1.19.0‑1.33.3, 1.32.0‑1.32.4, 1.31.0‑1.31.5
Vulnerability: Lua Code Injection
Severity: High (CVSS 8.1)
Date: 2026‑04‑23

Prediction: Patch available in v1.33.4/v1.32.5/v1.31.6

What Undercode Say (Analytics)

Check running Contour version
kubectl get deployment contour -n projectcontour -o jsonpath='{.spec.template.spec.containers[?(@.name=="contour")].image}'
Fast‑detect vulnerable versions with jq
kubectl get httpproxy --all-namespaces -o json | jq -r '.items[] | select(.spec.routes[]?.cookieRewritePolicies[]?.pathRewrite.value // .spec.routes[]?.services[]?.cookieRewritePolicies[]?.pathRewrite.value) | .metadata.namespace + "/" + .metadata.name'
Simulate unsafe template interpolation (Go demo)
package main
import "text/template"
func main() {
tpl := template.Must(template.New("lua").Parse(<code>rewrite_path("{{.Value}}")</code>))
tpl.Execute(nil, map[bash]string{"Value": <code>"); os.execute("rm -rf /") --</code>})
}

How Exploit

Craft a HTTPProxy resource containing a Lua payload in pathRewrite.value, e.g.:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
spec:
routes:
- cookieRewritePolicies:
- pathRewrite:
value: '"); evil_code() --'

Apply with kubectl apply -f malicious-proxy.yaml. The injected Lua runs in Envoy when the route is accessed, enabling credential theft or DoS.

Protection from this CVE

Immediately upgrade to Contour v1.33.4 (requires Envoy 1.35.0+), v1.32.5, or v1.31.6. No workarounds exist.

Impact

  • Arbitrary Lua code execution in Envoy proxy.
  • Read Envoy xDS credentials → exfiltrate TLS certs/private keys of other tenants.
  • Denial of service for other tenants sharing the Envoy instance.
  • Compromise of cluster‑wide configuration data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top