Contour
v1.32.5Networking & Messagingv1.32.5 is a security patch fixing a Lua code injection vulnerability (CVE-2026-41246) in Contour's Cookie Rewriting feature, plus an Envoy bump to v1.34.14. Upgrade immediately in multi-tenant environments.
securityPatch CVE-2026-41246 immediately in multi-tenant clusters
Any cluster where untrusted users or teams have RBAC permissions to create or modify HTTPProxy resources is directly exposed. An attacker crafts a pathRewrite.value that breaks out of the Lua string context, gaining code execution in Envoy — which runs as shared infrastructure. That means credential theft (xDS client certs) or denial of service for every tenant on the same Envoy instance. Upgrade to v1.32.5 now. While you prepare the upgrade, audit who has create/update rights on HTTPProxy and tighten RBAC to the minimum necessary.
breakingReview existing cookieRewritePolicies after upgrade
The fix adds escaping to pathRewrite.value inputs. Legitimate values with special characters (backslashes, quotes, etc.) will now be escaped before Lua interpolation, which changes runtime behavior. Test any HTTPProxy resources using cookieRewritePolicies[].pathRewrite.value in a staging environment post-upgrade to confirm cookie rewriting still behaves as expected.
enhancementEnvoy v1.34.14 is bundled — no separate action needed
The Envoy bump is included in the Contour image. If you run a managed Envoy deployment alongside Contour, verify your Envoy image is also updated to v1.34.14 to stay consistent with Contour's tested configuration.
主な変更 (5)
- CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
- Attackers with HTTPProxy RBAC write access could achieve arbitrary code execution inside the shared Envoy proxy
- Injected code could exfiltrate Envoy's xDS client credentials or cause DoS for co-located tenants
- Fix escapes user-provided cookie path rewrite values before Lua interpolation
- Envoy updated to v1.34.14