Envoy
v1.36.5Networking & MessagingEnvoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.
securityUpgrade immediately for critical crash fixes
Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.
securityReview RBAC policies for multivalue header bypass
CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.
enhancementTest OAuth2 workflows after host rewriting fix
The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.
主な変更 (5)
- Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
- OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
- Migration from internal googleurl to open source Google GURL library
- Kafka test binary updated to version 3.9.2
- Docker base image security updates