RATATOSKRATATOSK
ログイン

Contour

v1.31.6Networking & Messaging
2026年4月21日

Contour v1.31.6 patches a Lua code injection vulnerability (CVE-2026-41246) in Cookie Rewriting that could allow arbitrary code execution in shared Envoy infrastructure.

  • securityPatch immediately if you allow untrusted users to create/modify HTTPProxy resources

    CVE-2026-41246 is a privilege escalation path in multi-tenant clusters. Any user with RBAC write access to HTTPProxy objects can inject arbitrary Lua into Envoy — and since Envoy is shared infrastructure, the blast radius extends to other tenants and exposes xDS credentials. Upgrade to v1.31.6 now. If you cannot upgrade immediately, audit existing HTTPProxy objects for suspicious pathRewrite values and tighten RBAC so only trusted principals can write HTTPProxy resources.

  • enhancementReview RBAC around HTTPProxy write permissions regardless of upgrade status

    This CVE class — user-controlled values interpolated into code — is a design risk whenever untrusted users can write Kubernetes custom resources that drive proxy configuration. Use this as a prompt to apply least-privilege RBAC on HTTPProxy, HTTPRoute, and similar resources across your clusters. Namespace-scoped RBAC and admission webhooks that validate pathRewrite values are good mitigations to layer on top of the patch.

主な変更 (4)

  • Security fix for CVE-2026-41246: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
  • Injected code could exfiltrate Envoy xDS client credentials from the filesystem or cause DoS for co-tenants
  • Fix escapes user-provided values before interpolation into Lua code — no API changes required
  • Envoy bumped to v1.34.14