CVE-2026-47692
Received Received - Intake
PROXY Protocol v2 Header Length Mismatch in Envoy

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-47692
EUVD
EUVD-2026-39827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envoyproxy envoy From 1.34.0 (inc) to 1.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-47692 vulnerability in Envoy Proxy is caused by a flaw in the PROXY Protocol v2 header generator. Specifically, the generator emits Type-Length-Value (TLV) entries that exceed the maximum allowed length of 65535 bytes, resulting in a mismatch between the actual bytes written and the length field in the header.

This mismatch allows an attacker to inject or "smuggle" extra bytes into the upstream application stream beyond what Envoy advertises, effectively bypassing Envoy's filtering mechanisms.

The issue arises because the generator incorrectly includes TLVs that are too large, and this bug was introduced in February 2025 affecting Envoy versions from 1.34.0 up to 1.39.

The vulnerability requires a specific configuration (AWS listener pattern with pass_through_tlvs) to be exploitable and was fixed by correcting a variable name in the code to ensure only valid TLVs are included.

Impact Analysis

This vulnerability can impact you by allowing an attacker to bypass Envoy's security filters such as HTTP connection manager, RBAC (Role-Based Access Control), or JWT (JSON Web Token) validation.

Because the attacker can smuggle extra bytes into the upstream application stream, malicious payloads or unauthorized requests might reach your backend services undetected.

This can lead to unauthorized access, data manipulation, or denial of service depending on the nature of the upstream application and the attacker's intent.

Detection Guidance

This vulnerability involves the PROXY Protocol v2 header generator emitting TLVs beyond the maximum length of 65535 bytes, causing smuggled bytes to bypass filters and reach the upstream application.

Detection would involve monitoring network traffic for PROXY Protocol v2 headers where the length field does not match the actual size of the TLVs, indicating a possible overflow or smuggling attempt.

Specific commands or tools are not provided in the available resources.

Mitigation Strategies

The vulnerability is fixed in Envoy Proxy versions 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Immediate mitigation involves upgrading your Envoy Proxy to one of these fixed versions to ensure the PROXY Protocol v2 header generator correctly limits TLV lengths and prevents smuggling.

Additionally, review your configuration for the AWS listener pattern with pass_through_tlvs, as this specific setup is required for exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart