CVE-2026-22771 is a critical code injection vulnerability classified under CWE-94 affecting Envoy Gateway, an open-source project managing Envoy Proxy as a standalone or Kubernetes-based application gateway. The vulnerability exists in EnvoyExtensionPolicy Lua scripts executed by the Envoy proxy in versions prior to 1.5.7 and between 1.6.0-rc.0 and 1.6.2. Due to improper control over the generation and execution of Lua code, an attacker with limited privileges can exploit this flaw to leak the proxy's credentials. These credentials are highly sensitive as they allow the attacker to communicate with the Envoy control plane, thereby gaining unauthorized access to all secrets managed by the proxy, including TLS private keys and credentials used for downstream and upstream communication. This compromises the confidentiality and integrity of communications and can lead to further lateral movement or data exfiltration. The vulnerability does not require user interaction but does require some level of privilege (PR:L) and network access (AV:N). The CVSS v3.1 score is 8.8, indicating a high severity with impacts on confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date, but the risk remains significant due to the sensitive nature of the exposed credentials. The issue is resolved in Envoy Gateway versions 1.5.7 and 1.6.2, where proper controls on Lua script execution have been implemented to prevent unauthorized code injection and credential leakage.

For European organizations, this vulnerability poses a significant risk to the security of their network infrastructure, particularly those leveraging Envoy Gateway in Kubernetes or cloud-native environments. Successful exploitation can lead to the compromise of TLS private keys and authentication credentials, undermining the confidentiality and integrity of encrypted communications. This can facilitate man-in-the-middle attacks, unauthorized data access, and potential disruption of services. Given the widespread adoption of Envoy Proxy and Kubernetes in European enterprises and cloud providers, the vulnerability could impact critical sectors such as finance, healthcare, telecommunications, and government services. The exposure of secrets could also lead to compliance violations under GDPR and other data protection regulations, resulting in legal and financial repercussions. Additionally, attackers gaining control over the control plane could manipulate traffic routing or inject malicious payloads, affecting availability and trust in network services.

European organizations should prioritize upgrading Envoy Gateway to versions 1.5.7 or 1.6.2 immediately to remediate this vulnerability. Until patches are applied, restrict the execution of EnvoyExtensionPolicy Lua scripts to trusted sources only and enforce strict access controls on the proxy and control plane interfaces. Implement network segmentation to limit access to the Envoy control plane and monitor for unusual or unauthorized communication patterns indicative of credential misuse. Employ runtime security tools to detect anomalous Lua script behavior and credential access attempts. Regularly audit and rotate TLS private keys and credentials used by Envoy proxies to minimize the impact of potential leaks. Additionally, integrate vulnerability scanning and configuration management to ensure that no vulnerable versions remain in production environments. Finally, maintain incident response readiness to quickly address any signs of exploitation.