CVE-2026-6994
Received Received - Intake
Injection Vulnerability in Envoy Query Parameter Handler Allows Remote Exploitation

Publication date: 2026-04-25

Last updated on: 2026-04-25

Assigner: VulDB

Description
A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-04-25
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envoyproxy envoy to 1.33.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Envoy up to version 1.33.0 involves improper URL encoding of query parameter values added via the query_parameter_mutations feature.

Specifically, query parameter values derived from formatters such as %REQ(header)% were not being URL-encoded correctly when appended to the URI query string.

This flaw allows for potential query parameter injection attacks, where an attacker can manipulate query parameters to inject malicious content.

The issue is located in the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc in the Query Parameter Handler component.

A patch was implemented to ensure all query parameter values added through query_parameter_mutations are properly URL-encoded before inclusion in the query string, mitigating injection risks.

Impact Analysis

This vulnerability can allow remote attackers to perform query parameter injection attacks by exploiting improper URL encoding.

Such injection can lead to manipulation of query parameters, potentially causing unexpected behavior in applications relying on Envoy for HTTP request handling.

The impact includes possible information disclosure, data manipulation, or other security issues depending on how the injected parameters are processed downstream.

The vulnerability has a moderate severity score (CVSS v3.1 Base Score 6.3), indicating a significant but not critical risk.

Detection Guidance

This vulnerability involves improper URL encoding of query parameter values added via the query_parameter_mutations feature in Envoy. Detection would involve monitoring or inspecting HTTP requests handled by Envoy for suspicious or malformed query parameters that could indicate injection attempts.

Specifically, you can look for query parameters that include special characters or payloads that are not properly URL-encoded, which might be exploited due to this flaw.

Commands to detect this might include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP traffic, then filtering for Envoy proxy traffic and examining query strings for unencoded suspicious characters.

  • Use tcpdump to capture HTTP traffic on the Envoy proxy port: tcpdump -i <interface> -A 'tcp port <envoy_port>'
  • Use curl or similar tools to test query parameter injection manually by sending crafted requests with special characters in query parameters and observing Envoy's behavior.
  • Check Envoy logs for any unusual query parameter mutation activity or errors related to header_mutation filters.
Mitigation Strategies

The primary mitigation step is to apply the official patch that fixes the improper URL encoding of query parameter values in Envoy. This patch ensures all query parameter values added via query_parameter_mutations are properly URL-encoded, preventing injection attacks.

Additionally, operators can enable the runtime guard named 'envoy.reloadable_features.header_mutation_url_encode_query_params' to dynamically enforce URL encoding of query parameters if the patch is applied.

If immediate patching is not possible, consider restricting or monitoring traffic that uses query_parameter_mutations features, and apply strict input validation or filtering on query parameters upstream.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart