CVE-2026-26205
Received Received - Intake
Path Parsing Vulnerability in opa-envoy-plugin Enables Access Bypass

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26205
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opa-envoy-plugin opa-envoy-plugin to 1.13.2-envoy-2 (exc)
open_policy_agent opa_envoy_plugin to 1.13.2-envoy-2 (exc)
open_policy_agent opa_envoy_plugin 1.13.2-envoy-2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the opa-envoy-plugin versions prior to 1.13.2-envoy-2. It involves how the `input.parsed_path` field is constructed when parsing HTTP request paths. Specifically, the plugin treats HTTP request paths as full URIs and interprets leading path segments that start with double slashes (`//`) as authority components. This causes those segments to be dropped from the parsed path.

As a result, there is a mismatch between the path used by authorization policies and the actual path served by backend servers. Attackers can exploit this mismatch by crafting requests that cause the authorization filter to evaluate a different path than the one ultimately served, thereby bypassing access controls.

This issue was fixed in version 1.13.2-envoy-2 of the plugin.


How can this vulnerability impact me? :

This vulnerability can allow attackers to bypass access controls enforced by the opa-envoy-plugin. Because the authorization filter evaluates a different path than the backend server ultimately serves, unauthorized users may gain access to protected resources or perform actions they should not be allowed to.

Such unauthorized access can lead to data exposure, modification, or other security breaches depending on the protected resources behind the plugin.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the opa-envoy-plugin to version 1.13.2-envoy-2 or later, as this version fixes the issue with how the input.parsed_path field is constructed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart