CVE-2026-6994
Injection Vulnerability in Envoy Query Parameter Handler Allows Remote Exploitation
Publication date: 2026-04-25
Last updated on: 2026-04-25
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envoyproxy | envoy | to 1.33.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Envoy up to version 1.33.0 involves improper URL encoding of query parameter values added via the query_parameter_mutations feature.
Specifically, query parameter values derived from formatters such as %REQ(header)% were not being URL-encoded correctly when appended to the URI query string.
This flaw allows for potential query parameter injection attacks, where an attacker can manipulate query parameters to inject malicious content.
The issue is located in the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc in the Query Parameter Handler component.
A patch was implemented to ensure all query parameter values added through query_parameter_mutations are properly URL-encoded before inclusion in the query string, mitigating injection risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to perform query parameter injection attacks by exploiting improper URL encoding.
Such injection can lead to manipulation of query parameters, potentially causing unexpected behavior in applications relying on Envoy for HTTP request handling.
The impact includes possible information disclosure, data manipulation, or other security issues depending on how the injected parameters are processed downstream.
The vulnerability has a moderate severity score (CVSS v3.1 Base Score 6.3), indicating a significant but not critical risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper URL encoding of query parameter values added via the query_parameter_mutations feature in Envoy. Detection would involve monitoring or inspecting HTTP requests handled by Envoy for suspicious or malformed query parameters that could indicate injection attempts.
Specifically, you can look for query parameters that include special characters or payloads that are not properly URL-encoded, which might be exploited due to this flaw.
Commands to detect this might include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP traffic, then filtering for Envoy proxy traffic and examining query strings for unencoded suspicious characters.
- Use tcpdump to capture HTTP traffic on the Envoy proxy port: tcpdump -i <interface> -A 'tcp port <envoy_port>'
- Use curl or similar tools to test query parameter injection manually by sending crafted requests with special characters in query parameters and observing Envoy's behavior.
- Check Envoy logs for any unusual query parameter mutation activity or errors related to header_mutation filters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch that fixes the improper URL encoding of query parameter values in Envoy. This patch ensures all query parameter values added via query_parameter_mutations are properly URL-encoded, preventing injection attacks.
Additionally, operators can enable the runtime guard named 'envoy.reloadable_features.header_mutation_url_encode_query_params' to dynamically enforce URL encoding of query parameters if the patch is applied.
If immediate patching is not possible, consider restricting or monitoring traffic that uses query_parameter_mutations features, and apply strict input validation or filtering on query parameters upstream.