CVE-2026-26330: Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly

March 10, 2026

At the rate limit filter, if we enabled the response phase limit with apply_on_stream_done in the rate limit configuration and the response phase limit request fails directly, it may crash Envoy.

References

github.com/advisories/GHSA-c23c-rp3m-vpg3
github.com/envoyproxy/envoy
github.com/envoyproxy/envoy/security/advisories/GHSA-c23c-rp3m-vpg3
nvd.nist.gov/vuln/detail/CVE-2026-26330

Code Behaviors & Features

Detect and mitigate CVE-2026-26330 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →