Envoy Extension Policy lua scripts injection causes arbitrary command execution

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.

AI Analysis

Lua scripts executed by Envoy proxy can leak credentials, allowing access to secrets and communication with the control plane.

Basic Information

ID CVE-2026-22771

Source GitHub_M

Published Jan 12, 2026 at 18:08

Affected Product

Vendor envoyproxy

Product gateway

Version < 1.5.7

Affected Versions envoyproxy gateway < 1.5.7
envoyproxy gateway >= 1.6.0-rc.0, < 1.6.2

CWE Classification

CWE-94

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Envoyproxy

Product Envoy Gateway

Version < 1.5.7, >= 1.6.0-rc.0, < 1.6.2

References

github.com /envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22

{
    "lastseen": "",
    "description": "Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.",
    "published": "2026-01-12T18:08:22.532Z",
    "modified": "2026-01-12T18:08:22.532Z",
    "type": "cve",
    "title": "Envoy Extension Policy lua scripts injection causes arbitrary command execution",
    "source": "GitHub_M",
    "references": "https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22",
    "id": "CVE-2026-22771",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "envoyproxy gateway < 1.5.7\nenvoyproxy gateway >= 1.6.0-rc.0, < 1.6.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gateway",
    "version": "< 1.5.7",
    "vendor": "envoyproxy",
    "ai_description": "Lua scripts executed by Envoy proxy can leak credentials, allowing access to secrets and communication with the control plane.",
    "ai_severity": "High",
    "ai_vendor": "Envoyproxy",
    "ai_product": "Envoy Gateway",
    "ai_version": "< 1.5.7, >= 1.6.0-rc.0, < 1.6.2",
    "ai_score": 8.8
}

Envoy Extension Policy lua scripts injection causes arbitrary command execution_CVE-2026-22771