CVE-2026-22771

HIGH

Envoy Gateway < 1.5.7 and 1.6.0-rc.0-1.6.2 - Credential Leak via EnvoyExtensionPolicy Lua Scripts

Title source: llm

Description

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2.

References (1)

Core 1

Core References

Exploit, Vendor Advisory, Mitigation x_refsource_confirm

https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22

Scores

CVSS v3 8.8

EPSS 0.0048

EPSS Percentile 37.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

envoyproxy/gateway < 1.5.7

envoyproxy/gateway 1.6.0-rc.0 - 1.6.2Go

Published Jan 12, 2026

Tracked Since Feb 18, 2026