v1.33.4 is a security-critical patch fixing a Lua code injection CVE in Contour's Cookie Rewriting feature — upgrade immediately, and note the hard Envoy 1.35.0 minimum requirement.
securityPatch CVE-2026-41246 immediately — arbitrary code execution risk in shared Envoy
Any tenant with RBAC permissions to create or modify HTTPProxy resources could inject arbitrary Lua code through a crafted pathRewrite value. In multi-tenant clusters where Envoy is shared infrastructure, this means a compromised or malicious tenant could steal xDS client credentials or deny service to other tenants. Upgrade Contour to v1.33.4 and ensure Envoy is at 1.35.0 or later before deploying. Audit your RBAC policies to limit HTTPProxy write access to trusted principals as a defense-in-depth measure.
breakingEnvoy 1.35.0 minimum — verify your Envoy version before upgrading Contour
This release will not function correctly with Envoy versions older than 1.35.0 due to the new filterContext-based Lua approach. If you manage your own Envoy image or pin versions, upgrade Envoy first. The bundled Envoy in the official manifests is already at v1.35.10, so if you use the standard deployment you're covered — but custom or air-gapped environments need explicit attention here.
enhancementReview HTTPProxy RBAC regardless of upgrade timing
Even after patching, the underlying attack surface is broad write access to HTTPProxy resources. Take this as a signal to tighten RBAC: restrict HTTPProxy creation/modification to platform operators rather than application developers where possible. In high-trust multi-tenant environments this kind of privilege separation is the right long-term control.
Key changes (4)
- CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies pathRewrite values could allow arbitrary code execution in Envoy
- Cookie Rewriting feature redesigned: text/template generation dropped in favor of structured filterContext data passed to a static Lua script
- Envoy 1.35.0 is now a hard minimum requirement for this release
- Bundled Envoy bumped to v1.35.10