Executive Summary

CVE-2026-22771 is a high-severity vulnerability in Envoy Gateway versions prior to 1.5.7 and 1.6.2. It involves EnvoyExtensionPolicy Lua scripts executed by the Envoy proxy that can leak sensitive credentials such as TLS private keys and Kubernetes service account tokens. These credentials can be used by an attacker to communicate with the control plane, access all secrets used by Envoy proxy, escalate privileges, run arbitrary pods, and potentially delete the Envoy Gateway itself. The vulnerability arises because Lua scripts can read and exfiltrate sensitive files, and the patch introduces secure defaults and options to disable Lua scripts to prevent this arbitrary code execution. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive credentials used by Envoy proxy, such as TLS private keys and Kubernetes service account tokens. An attacker exploiting this can communicate with the control plane, access all secrets, escalate privileges, run arbitrary pods in the envoy-gateway-system namespace, and potentially delete the Envoy Gateway. This compromises confidentiality, integrity, and availability of the system. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection involves checking for the presence of EnvoyExtensionPolicy Lua scripts that may be leaking credentials. You can audit Kubernetes for EnvoyExtensionPolicy resources containing Lua scripts by running commands like: kubectl get envoyextensionpolicies --all-namespaces -o yaml | grep -i lua or inspecting the Envoy Gateway controller logs for suspicious Lua script execution or error messages exposing secrets. Additionally, monitor HTTP responses or resource status messages for unexpected exposure of TLS certificates or Kubernetes service account tokens. Since the vulnerability involves Lua scripts reading sensitive files such as '/certs/tls.crt', '/certs/tls.key', or '/var/run/secrets/kubernetes.io/serviceaccount/token', look for any unusual access or exfiltration attempts related to these files. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade Envoy Gateway to versions 1.5.7 or 1.6.2 or later where the vulnerability is fixed. 2) Enable Lua Strict validation mode by default to block dangerous Lua code execution in both proxy and controller pods. 3) Use the 'disableLua' option in EnvoyProxy to reject EnvoyExtensionPolicies containing Lua scripts entirely, preventing arbitrary Lua code execution. 4) Restrict creation of EnvoyExtensionPolicy resources via Kubernetes RBAC rules to trusted namespaces only, limiting exposure regardless of the extensibility mechanism used. These steps help prevent malicious Lua scripts from leaking credentials and limit the attack surface. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows leakage of sensitive credentials such as TLS private keys and Kubernetes service account tokens, which can lead to unauthorized access to secrets and control plane communication. Such exposure of sensitive data can result in violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and protection against unauthorized disclosure. Therefore, exploitation of this vulnerability could compromise compliance with these regulations by enabling data breaches and unauthorized access to protected data. [1]

Useful 0 Not Useful 0