Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-26308

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month ago

Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 x_refsource_CONFIRM
https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867 x_refsource_MISC

Affected products

envoy

==>= 1.37.0, < 1.37.1
==< 1.34.13
==>= 1.36.0, < 1.36.5
==>= 1.35.0, < 1.35.9

Matching in nixpkgs

pkgs.envoy

Cloud-native edge and service proxy

nixos-unstable 1.36.2
- nixpkgs-unstable 1.36.2
- nixos-unstable-small 1.36.2
nixos-25.11 1.36.2
- nixos-25.11-small 1.36.2
- nixpkgs-25.11-darwin 1.36.2

pkgs.envoy-bin

Cloud-native edge and service proxy

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.4
- nixos-25.11-small 1.36.4
- nixpkgs-25.11-darwin 1.36.4

pkgs.opa-envoy-plugin

A plugin to enforce OPA policies with Envoy

nixos-unstable 1.13.2-envoy-2
- nixpkgs-unstable 1.13.2-envoy-2
- nixos-unstable-small 1.13.2-envoy-2
nixos-25.11 1.10.0-envoy
- nixos-25.11-small 1.10.0-envoy
- nixpkgs-25.11-darwin 1.10.0-envoy

pkgs.python312Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python313Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1
nixos-25.11 0.0.1
- nixos-25.11-small 0.0.1
- nixpkgs-25.11-darwin 0.0.1

pkgs.python314Packages.envoy-utils

Python utilities for the Enphase Envoy

nixos-unstable 0.0.1
- nixpkgs-unstable 0.0.1
- nixos-unstable-small 0.0.1

pkgs.python312Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python313Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3
nixos-25.11 0.21.3
- nixos-25.11-small 0.21.3
- nixpkgs-25.11-darwin 0.21.3

pkgs.python314Packages.envoy-reader

Python module to read from Enphase Envoy units

nixos-unstable 0.21.3
- nixpkgs-unstable 0.21.3
- nixos-unstable-small 0.21.3

pkgs.python313Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.python314Packages.envoy-data-plane

Python dataclasses for the Envoy Data-Plane-API

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3

pkgs.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-component-tests.enphase_envoy

Open source home automation that puts local control and privacy first

nixos-unstable 2026.2.3
- nixpkgs-unstable 2026.2.3
- nixos-unstable-small 2026.2.3

Package maintainers

@lukegb Luke Granger-Brown <nix@lukegb.com>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@charlieegan3 Charlie Egan <git@charlieegan3.com>
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>