{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/envoy-gateway-versions-before-1.7.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Envoy Gateway (versions before 1.7.4)","Envoy Gateway (versions 1.8.0-rc.0 through 1.8.0)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","information-disclosure","cloud","network"],"_cs_type":"advisory","_cs_vendors":["Envoyproxy"],"content_html":"\u003cp\u003eEnvoy Gateway versions prior to 1.7.4 and versions 1.8.0-rc.0 through 1.8.0 are susceptible to an information disclosure vulnerability, CVE-2026-53714, when deployed in \u003ccode\u003eGatewayNamespaceMode\u003c/code\u003e (\u003ccode\u003eprovider.kubernetes.deploy.type=GatewayNamespace\u003c/code\u003e). This flaw stems from an incomplete implementation of authentication within the xDS gRPC server. Specifically, the server lacks a unary interceptor and its JWT authentication interceptor incorrectly bypasses validation for \u003ccode\u003ediscoveryv3.DiscoveryRequest\u003c/code\u003e messages, which are part of the State-of-the-World (SotW) xDS protocol. This oversight allows any unauthenticated pod within the Kubernetes cluster that can reach the xDS server on port 18000 to access sensitive configuration data, including TLS private keys, all xDS resources (ADS), backend service endpoints (CDS/EDS), and routing rules (RDS/LDS). The vulnerability has been reported by @dashingDragon and @Donjon-Cerberus.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious pod or compromised application within the Kubernetes cluster identifies the Envoy Gateway xDS server listening on port 18000.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a gRPC connection to the xDS server without providing any authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ediscoveryv3.DiscoveryRequest\u003c/code\u003e message to leverage the State-of-the-World (SotW) xDS protocol.\u003c/li\u003e\n\u003cli\u003eThe Envoy Gateway's JWT authentication interceptor, configured for \u003ccode\u003eGatewayNamespaceMode\u003c/code\u003e, fails to validate this specific message type, bypassing any authentication checks.\u003c/li\u003e\n\u003cli\u003eThe xDS server processes the unauthenticated \u003ccode\u003eDiscoveryRequest\u003c/code\u003e successfully due to the missing unary interceptor and the authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker then requests sensitive xDS resources, including TLS private keys via StreamSecrets (SDS), aggregated xDS resources via StreamAggregatedResources (ADS), backend endpoints via StreamClusters/StreamEndpoints (CDS/EDS), and routing rules via StreamRoutes/StreamListeners (RDS/LDS).\u003c/li\u003e\n\u003cli\u003eThe Envoy Gateway xDS server responds to the unauthenticated request, disclosing critical configuration data to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53714 leads to unauthenticated information disclosure of highly sensitive data. Attackers can gain access to TLS private keys, which could be used to decrypt encrypted traffic, impersonate services, or enable further attacks. Disclosure of xDS resources, backend endpoints, and routing rules provides a comprehensive understanding of the cluster's network topology and service configurations, allowing attackers to plan sophisticated follow-on attacks, redirect traffic, or achieve persistent access. This vulnerability affects any organization using Envoy Gateway in \u003ccode\u003eGatewayNamespaceMode\u003c/code\u003e within a Kubernetes environment, potentially exposing core infrastructure secrets and network configurations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-53714 immediately by upgrading Envoy Gateway to a non-vulnerable version (e.g., 1.7.4 or later, or 1.8.1 or later) as referenced in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation and access controls within your Kubernetes clusters to restrict access to the Envoy Gateway xDS server on port 18000, ensuring only authorized components can connect.\u003c/li\u003e\n\u003cli\u003eMonitor network connection logs for any suspicious or unauthorized access attempts to Envoy Gateway's xDS server on port 18000 from unexpected sources or without proper authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:33:23Z","date_published":"2026-07-16T19:33:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-envoy-gateway-xds-info-disclosure/","summary":"A vulnerability in Envoy Gateway, when operating in GatewayNamespaceMode, allows unauthenticated access to the xDS gRPC server on port 18000. This is due to a missing unary interceptor and an authentication bypass in the JWT interceptor that fails to validate specific message types (DiscoveryRequest). Any pod within the cluster can exploit this flaw using the State-of-the-World (SotW) xDS protocol to retrieve sensitive information, including TLS private keys, all xDS resources, backend endpoints, and routing rules.","title":"Envoy Gateway xDS Control Plane Information Disclosure Vulnerability (CVE-2026-53714)","url":"https://feed.craftedsignal.io/briefs/2026-07-envoy-gateway-xds-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Envoy Gateway (Versions Before 1.7.4)","version":"https://jsonfeed.org/version/1.1"}