{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/envoy-proxy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Envoy Gateway (\u003c 1.7.4)","Envoy Gateway (\u003e= 1.8.0-rc.0, \u003c 1.8.1)"],"_cs_severities":["critical"],"_cs_tags":["envoy","gateway","vulnerability","path-traversal","file-disclosure","kubernetes","cloud"],"_cs_type":"advisory","_cs_vendors":["Envoy Proxy"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-53713, has been identified in Envoy Gateway versions prior to v1.7.4 and between v1.8.0-rc.0 and v1.8.1. The flaw resides in the \u003ccode\u003eto_absolute_normalized_path\u003c/code\u003e Lua function within the \u003ccode\u003eEnvoyExtensionPolicy\u003c/code\u003e component. This function's failure to properly collapse redundant path separators (e.g., \u003ccode\u003e//\u003c/code\u003e instead of \u003ccode\u003e/\u003c/code\u003e) allows malicious Lua code to craft paths that bypass the \u003ccode\u003eis_critical_path\u003c/code\u003e security check. This bypass enables an attacker to read arbitrary files from the gateway controller pod's filesystem. Successful exploitation can lead to the disclosure of highly sensitive information, including Kubernetes Service Account tokens, TLS certificates, \u003ccode\u003e/etc/passwd\u003c/code\u003e, and process environment variables, potentially granting unauthorized access to the Kubernetes API Server or the Gateway XDS server. This vulnerability presents a severe risk to the confidentiality and integrity of Kubernetes environments utilizing affected Envoy Gateway versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious Lua code designed to read sensitive files.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this malicious Lua code as an \u003ccode\u003eEnvoyExtensionPolicy\u003c/code\u003e to the vulnerable Envoy Gateway.\u003c/li\u003e\n\u003cli\u003eThe submitted Lua code attempts to access a sensitive file using a path containing redundant separators, such as \u003ccode\u003e//etc/passwd\u003c/code\u003e or \u003ccode\u003e//var/run/secrets/kubernetes.io/serviceaccount/token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eto_absolute_normalized_path\u003c/code\u003e function (security.lua:28-43) in Envoy Gateway fails to correctly normalize the path by not collapsing the redundant path separators.\u003c/li\u003e\n\u003cli\u003eConsequently, the \u003ccode\u003eis_critical_path\u003c/code\u003e function, which is designed to prevent access to sensitive locations by checking for paths starting with specific critical prefixes (e.g., \u003ccode\u003e/etc/\u003c/code\u003e), fails to recognize the crafted path (e.g., \u003ccode\u003e//etc/passwd\u003c/code\u003e) as critical because it does not match its expected format.\u003c/li\u003e\n\u003cli\u003eThe critical-path check is bypassed due to this input validation flaw.\u003c/li\u003e\n\u003cli\u003eThe Envoy Gateway controller pod's filesystem is accessed by the malicious Lua code at the unnormalized path.\u003c/li\u003e\n\u003cli\u003eArbitrary sensitive files, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e, Kubernetes Service Account tokens, TLS certificates, or process environment variables (\u003ccode\u003e/proc/self/environ\u003c/code\u003e), are read and disclosed to the attacker.\u003c/li\u003e\n\u003cli\u003eThe disclosed credentials or sensitive information can then be used to achieve authentication bypass to the Kubernetes API Server or the Gateway XDS server, leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53713 can lead to severe data breaches and system compromise. Attackers can read critical files from the Envoy Gateway controller pod's filesystem, including system user information from \u003ccode\u003e/etc/passwd\u003c/code\u003e, Kubernetes Service Account tokens that provide programmatic access to the Kubernetes API, private TLS certificates, and sensitive environment variables from \u003ccode\u003e/proc/self/environ\u003c/code\u003e. The disclosure of these credentials and sensitive data enables attackers to bypass authentication mechanisms for the Kubernetes API Server or the Gateway XDS server, granting them unauthorized access to manage Kubernetes resources, exfiltrate data, or execute further attacks within the cluster. This could result in complete cluster compromise, affecting all hosted applications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-53713 by upgrading Envoy Gateway to version \u003ccode\u003ev1.7.4\u003c/code\u003e or later, or \u003ccode\u003ev1.8.1\u003c/code\u003e or later, on all affected deployments immediately.\u003c/li\u003e\n\u003cli\u003eRefer to the \u0026quot;Warning\u0026quot; section in the official Envoy Gateway Lua documentation (as referenced in the source under \u0026quot;Workarounds\u0026quot;) for additional measures to reduce risk related to Lua extensibility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T19:24:28Z","date_published":"2026-07-16T19:24:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-envoy-gateway-auth-bypass-secret-disclosure/","summary":"A critical path traversal vulnerability (CVE-2026-53713) exists in the `to_absolute_normalized_path` function of Envoy Gateway due to improper input validation, allowing specially crafted Lua code submitted via an `EnvoyExtensionPolicy` to bypass critical-path checks and read arbitrary sensitive files from the gateway controller pod's filesystem, potentially leading to authentication bypass to the Kubernetes API Server or Gateway XDS server.","title":"Envoy Gateway Authentication Bypass via Path Traversal Leads to Secret Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-07-envoy-gateway-auth-bypass-secret-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed - Envoy Proxy","version":"https://jsonfeed.org/version/1.1"}