Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensi…
Published:
11 January 2026 at 23:00:00
Alert date:
12 January 2026 at 21:02:40
Source:
nvd.nist.gov
Network Infrastructure, Cloud & Virtualization
Envoy Gateway versions prior to 1.5.7 and 1.6.2 contain a vulnerability where EnvoyExtensionPolicy Lua scripts can leak proxy credentials. These leaked credentials enable unauthorized communication with the control plane and access to all Envoy proxy secrets including TLS private keys and communication credentials. The vulnerability affects both standalone and Kubernetes-based Envoy Gateway deployments. Fixed versions 1.5.7 and 1.6.2 are available to address this security issue.
Technical details
Mitigation steps:
Affected products:
Envoy Gateway
Envoy Proxy
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22771
https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.