CVE-2026-26205: opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path
(updated )
A security vulnerability has been discovered in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served.
References
- github.com/advisories/GHSA-9f29-v6mm-pw6w
- github.com/open-policy-agent/opa-envoy-plugin
- github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3
- github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2
- github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w
- nvd.nist.gov/vuln/detail/CVE-2026-26205
Code Behaviors & Features
Detect and mitigate CVE-2026-26205 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →