CVE-2026-26205
Received Received - Intake
Path Parsing Vulnerability in opa-envoy-plugin Enables Access Bypass

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26205
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opa-envoy-plugin opa-envoy-plugin to 1.13.2-envoy-2 (exc)
open_policy_agent opa_envoy_plugin to 1.13.2-envoy-2 (exc)
open_policy_agent opa_envoy_plugin 1.13.2-envoy-2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the opa-envoy-plugin versions prior to 1.13.2-envoy-2. It involves how the `input.parsed_path` field is constructed when parsing HTTP request paths. Specifically, the plugin treats HTTP request paths as full URIs and interprets leading path segments that start with double slashes (`//`) as authority components. This causes those segments to be dropped from the parsed path.

As a result, there is a mismatch between the path used by authorization policies and the actual path served by backend servers. Attackers can exploit this mismatch by crafting requests that cause the authorization filter to evaluate a different path than the one ultimately served, thereby bypassing access controls.

This issue was fixed in version 1.13.2-envoy-2 of the plugin.

Impact Analysis

This vulnerability can allow attackers to bypass access controls enforced by the opa-envoy-plugin. Because the authorization filter evaluates a different path than the backend server ultimately serves, unauthorized users may gain access to protected resources or perform actions they should not be allowed to.

Such unauthorized access can lead to data exposure, modification, or other security breaches depending on the protected resources behind the plugin.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the opa-envoy-plugin to version 1.13.2-envoy-2 or later, as this version fixes the issue with how the input.parsed_path field is constructed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart