Product
A vulnerability in Envoy Gateway, when operating in GatewayNamespaceMode, allows unauthenticated access to the xDS gRPC server on port 18000. This is due to a missing unary interceptor and an authentication bypass in the JWT interceptor that fails to validate specific message types (DiscoveryRequest). Any pod within the cluster can exploit this flaw using the State-of-the-World (SotW) xDS protocol to retrieve sensitive information, including TLS private keys, all xDS resources, backend endpoints, and routing rules.