CVE-2026-26205: CWE-863: Incorrect Authorization in open-policy-agent opa-envoy-plugin
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
AI Analysis
Technical Summary
The opa-envoy-plugin integrates Open Policy Agent (OPA) with the Envoy proxy to enforce fine-grained authorization policies on HTTP requests. In versions prior to 1.13.2-envoy-2, the plugin incorrectly constructs the `input.parsed_path` field by treating HTTP request paths as full URIs. Specifically, when a request path contains leading double slashes ('//'), the parser interprets these segments as authority components (such as host information) rather than path segments, causing those segments to be dropped from the parsed path. This results in a mismatch between the path evaluated by the authorization policy and the actual path requested by the client and served by the backend. Attackers can exploit this by crafting requests with double slashes to bypass authorization checks, gaining unauthorized access to protected resources. The vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS 4.0 score of 7.1, indicating a high-severity issue exploitable remotely without authentication or user interaction. The issue was publicly disclosed on February 19, 2026, and fixed in version 1.13.2-envoy-2. No public exploits have been reported, but the potential for access control bypass makes this a critical concern for deployments relying on opa-envoy-plugin for security enforcement.
Potential Impact
This vulnerability can have severe consequences for organizations using the opa-envoy-plugin to enforce access control policies. By exploiting the path parsing flaw, attackers can bypass authorization checks and gain unauthorized access to sensitive backend services or data. This undermines the integrity and confidentiality of protected resources and can lead to data breaches, unauthorized data modification, or service disruption. Since the vulnerability does not require authentication or user interaction and can be exploited remotely over the network, it significantly increases the attack surface. Organizations relying on opa-envoy-plugin in critical infrastructure, cloud-native environments, or microservices architectures are particularly at risk. The mismatch in path interpretation can also complicate incident detection and response, as logs and monitoring may reflect authorized paths while actual requests bypass controls.
Mitigation Recommendations
Organizations should immediately upgrade the opa-envoy-plugin to version 1.13.2-envoy-2 or later, where the path parsing logic has been corrected. Until the upgrade is applied, administrators can implement strict input validation and normalization at the Envoy proxy or upstream web servers to reject or sanitize requests containing suspicious path patterns such as leading double slashes. Additionally, reviewing and tightening authorization policies to include explicit path normalization checks can reduce risk. Monitoring and logging should be enhanced to detect anomalous request paths and potential bypass attempts. Network-level protections such as Web Application Firewalls (WAFs) can be configured to block malformed paths. Finally, organizations should conduct thorough security assessments of their OPA policy enforcement points to ensure no other path interpretation inconsistencies exist.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, Netherlands, France, Japan, South Korea, India
CVE-2026-26205: CWE-863: Incorrect Authorization in open-policy-agent opa-envoy-plugin
Description
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.
AI-Powered Analysis
Technical Analysis
The opa-envoy-plugin integrates Open Policy Agent (OPA) with the Envoy proxy to enforce fine-grained authorization policies on HTTP requests. In versions prior to 1.13.2-envoy-2, the plugin incorrectly constructs the `input.parsed_path` field by treating HTTP request paths as full URIs. Specifically, when a request path contains leading double slashes ('//'), the parser interprets these segments as authority components (such as host information) rather than path segments, causing those segments to be dropped from the parsed path. This results in a mismatch between the path evaluated by the authorization policy and the actual path requested by the client and served by the backend. Attackers can exploit this by crafting requests with double slashes to bypass authorization checks, gaining unauthorized access to protected resources. The vulnerability is classified under CWE-863 (Incorrect Authorization) and has a CVSS 4.0 score of 7.1, indicating a high-severity issue exploitable remotely without authentication or user interaction. The issue was publicly disclosed on February 19, 2026, and fixed in version 1.13.2-envoy-2. No public exploits have been reported, but the potential for access control bypass makes this a critical concern for deployments relying on opa-envoy-plugin for security enforcement.
Potential Impact
This vulnerability can have severe consequences for organizations using the opa-envoy-plugin to enforce access control policies. By exploiting the path parsing flaw, attackers can bypass authorization checks and gain unauthorized access to sensitive backend services or data. This undermines the integrity and confidentiality of protected resources and can lead to data breaches, unauthorized data modification, or service disruption. Since the vulnerability does not require authentication or user interaction and can be exploited remotely over the network, it significantly increases the attack surface. Organizations relying on opa-envoy-plugin in critical infrastructure, cloud-native environments, or microservices architectures are particularly at risk. The mismatch in path interpretation can also complicate incident detection and response, as logs and monitoring may reflect authorized paths while actual requests bypass controls.
Mitigation Recommendations
Organizations should immediately upgrade the opa-envoy-plugin to version 1.13.2-envoy-2 or later, where the path parsing logic has been corrected. Until the upgrade is applied, administrators can implement strict input validation and normalization at the Envoy proxy or upstream web servers to reject or sanitize requests containing suspicious path patterns such as leading double slashes. Additionally, reviewing and tightening authorization policies to include explicit path normalization checks can reduce risk. Monitoring and logging should be enhanced to detect anomalous request paths and potential bypass attempts. Network-level protections such as Web Application Firewalls (WAFs) can be configured to block malformed paths. Finally, organizations should conduct thorough security assessments of their OPA policy enforcement points to ensure no other path interpretation inconsistencies exist.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-11T19:56:24.814Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69978157d7880ec89b34979b
Added to database: 2/19/2026, 9:32:07 PM
Last enriched: 2/19/2026, 9:47:33 PM
Last updated: 2/20/2026, 9:00:42 PM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2847: OS Command Injection in UTT HiPER 520
HighCVE-2026-2846: OS Command Injection in UTT HiPER 520
HighCVE-2025-67438: n/a
UnknownCVE-2026-27072: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager
UnknownCVE-2026-24956: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Shahjada Download Manager Addons for Elementor
UnknownActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.