What is the severity of CVE-2026-41246?

CVE-2026-41246 has a CVSS v3 score of 8.1, which is classified as High severity.

Is there an exploit available for CVE-2026-41246?

No known public exploits are currently available for CVE-2026-41246.

Is there a patch available for CVE-2026-41246?

Yes, patches are available for CVE-2026-41246. Check the vendor advisories for update instructions.

CVE-2026-41246 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-41246?

### Impact Contour's [Cookie Rewriting](https://projectcontour.io/docs/1.33/config/cookie-rewriting/) feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify `HTTPProxy` resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: - `spec.routes[].cookieRewritePolicies[].pathRewrite.value` - `spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value` The cookie rewriting feature is internally implemented using Envoy's [HTTP Lua filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter). User-controlled values are interpolated into Lua source code using Go `text/template` without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also: - Read Envoy's xDS client credentials from the filesystem, which could be used to read all Contour xDS configuration, including TLS certificates and private keys of other tenants. - Cause denial of service for other tenants sharing the Envoy instance. Other use cases of Lua filter are not vulnerable. ### Patches The fix is available in Contour [v1.33.4](https://github.com/projectcontour/contour/releases/tag/v1.33.4), [v1.32.5](https://github.com/projectcontour/contour/releases/tag/v1.32.5), and [v1.31.6](https://github.com/projectcontour/contour/releases/tag/v1.31.6). - v1.33.4: User-provided values are no longer interpolated into Lua code. Use of `text/template` is removed. Requires Envoy 1.35.0 or later. - v1.32.5, v1.31.6: User-provided values are escaped before interpolation into Lua code. ### Workarounds There are no workarounds. Users should upgrade to a patched version.

Published: May 24, 2026

Last updated:1 day ago (May 24, 2026)

Updated May 24, 2026

no major risk factors

Impact

Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy:

spec.routes[].cookieRewritePolicies[].pathRewrite.value
spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value

The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization.

The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also:

Read Envoy's xDS client credentials from the filesystem, which could be used to read all Contour xDS configuration, including TLS certificates and private keys of other tenants.
Cause denial of service for other tenants sharing the Envoy instance.

Other use cases of Lua filter are not vulnerable.

Patches

The fix is available in Contour v1.33.4, v1.32.5, and v1.31.6.

v1.33.4: User-provided values are no longer interpolated into Lua code. Use of text/template is removed. Requires Envoy 1.35.0 or later.
v1.32.5, v1.31.6: User-provided values are escaped before interpolation into Lua code.

Workarounds

There are no workarounds. Users should upgrade to a patched version.

Strobes VI. (2026). CVE-2026-41246 - CVE Details and Analysis. Strobes VI. Retrieved May 25, 2026, from https://vi.strobes.co/cve/CVE-2026-41246

Vendor	Product
Projectcontour	Contour

NVD: Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. The cookie rewriting feature is internally implemented using Envoy's HTTP Lua filter. User-controlled values are interpolated into Lua source code using Go text/template without sufficient sanitization. The injected code only executes when processing traffic on the attacker's own route, which they already control. However, since Envoy runs as shared infrastructure, the injected code can also read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance. This vulnerability is fixed in v1.33.4, v1.32.5, and v1.31.6.

Ready for Agentic Automated Testing?

CVE-2026-41246

Impact

Patches

Workarounds