CVE-2026-26205 Overview
CVE-2026-26205 is an authorization bypass vulnerability affecting the OPA Envoy Plugin (opa-envoy-plugin), a critical component used to enforce Open Policy Agent (OPA) policies within Envoy proxy deployments. The vulnerability exists in how the input.parsed_path field is constructed when processing HTTP request paths. Specifically, paths are incorrectly treated as full URIs during parsing, causing leading path segments prefixed with double slashes (//) to be interpreted as authority components and subsequently dropped from the parsed path.
This path interpretation mismatch between authorization policies and backend servers creates a dangerous security gap, enabling attackers to craft malicious requests that bypass access controls. The authorization filter evaluates a different path than the one ultimately served by the backend, effectively negating security policies.
Critical Impact
Attackers can bypass OPA authorization policies by exploiting path parsing inconsistencies, potentially gaining unauthorized access to protected API endpoints and resources behind Envoy proxies.
Affected Products
- OPA Envoy Plugin versions prior to 1.13.2-envoy-2
- Envoy proxy deployments using vulnerable OPA plugin versions
- Applications relying on OPA policies for path-based authorization
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-26205 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26205
Vulnerability Analysis
The vulnerability stems from improper handling of HTTP request paths in the OPA Envoy Plugin's path parsing logic. When the plugin constructs the input.parsed_path field for policy evaluation, it incorrectly applies URI parsing semantics to HTTP request paths. This causes path segments beginning with double slashes (//) to be misinterpreted as the authority component of a URI (as defined in RFC 3986), rather than as literal path segments.
For example, a request to //admin/secret-endpoint would have the //admin portion stripped from the parsed path, leaving only /secret-endpoint for policy evaluation. However, the backend server receives and processes the original full path //admin/secret-endpoint. This discrepancy allows attackers to access resources that should be protected by path-based authorization policies.
This vulnerability is classified under CWE-863 (Incorrect Authorization), as it results in the authorization mechanism making decisions based on incorrect or incomplete information about the requested resource.
Root Cause
The root cause is a fundamental semantic mismatch in path parsing logic. The plugin incorrectly treats HTTP request paths as complete URIs during parsing operations. In URI parsing, a path beginning with // indicates the start of an authority component (typically a host), causing the parser to consume and discard this portion of the input. The plugin should instead treat the path as a raw path string without applying full URI parsing semantics.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying protected endpoints in the target application that rely on OPA path-based policies
- Crafting HTTP requests with path prefixes containing double slashes (//)
- Sending these malformed requests to bypass authorization checks
- Gaining access to protected resources that the backend server processes normally
For example, if an OPA policy denies access to /admin/* paths, an attacker could request //admin/sensitive-data. The authorization filter would evaluate the path as /sensitive-data (after dropping //admin), potentially allowing the request, while the backend would serve the original /admin/sensitive-data resource.
The vulnerability is exploitable remotely over the network without requiring any special privileges. The attack complexity is low, though some environmental conditions must be met (path-based authorization policies must be in use).
Detection Methods for CVE-2026-26205
Indicators of Compromise
- HTTP access logs containing request paths with unusual double-slash (//) prefixes
- Unexpected access to protected endpoints from unauthorized sources
- OPA decision logs showing path evaluations that don't match corresponding access logs
- Anomalous traffic patterns targeting administrative or sensitive API endpoints
Detection Strategies
- Implement log correlation between Envoy access logs and OPA decision logs to identify path discrepancies
- Create alerting rules for HTTP requests containing // at the start of paths or within path segments
- Deploy web application firewall (WAF) rules to detect and block path manipulation attempts
- Review OPA audit logs for authorization decisions on paths that don't match expected patterns
Monitoring Recommendations
- Enable detailed logging in both Envoy proxy and OPA to capture full request paths and policy decisions
- Monitor for increased access to sensitive endpoints that may indicate exploitation attempts
- Set up automated alerts for requests with malformed or unusual path patterns
- Regularly audit access patterns to protected resources for anomalies
How to Mitigate CVE-2026-26205
Immediate Actions Required
- Upgrade to OPA Envoy Plugin version 1.13.2-envoy-2 or later immediately
- Review access logs for any signs of exploitation attempts using double-slash path manipulation
- Audit existing OPA policies to identify path-based authorization rules that may have been bypassed
- Consider implementing additional path normalization at the Envoy level as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in OPA Envoy Plugin version 1.13.2-envoy-2. The fix corrects the path parsing logic to properly handle HTTP request paths without incorrectly interpreting them as full URIs.
Relevant resources:
Workarounds
- Implement path normalization in Envoy using Lua filters or external processing to sanitize paths before OPA evaluation
- Deploy an upstream reverse proxy or WAF that normalizes paths and rejects requests with malformed path patterns
- Add explicit OPA policy rules to deny requests containing suspicious path patterns with double slashes
- Consider implementing additional authorization checks at the application layer as defense-in-depth
# Example Envoy Lua filter configuration to normalize paths
# Add this to your Envoy configuration to reject paths with double slashes
envoy:
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
local path = request_handle:headers():get(":path")
if string.match(path, "^//") then
request_handle:respond({[":status"] = "400"}, "Invalid path")
end
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
