Introduction
A Lua code injection flaw in the Contour Kubernetes ingress controller allows an attacker with modest RBAC privileges to execute arbitrary code inside a shared Envoy proxy instance, potentially reading xDS credentials and TLS private keys belonging to other tenants. The vulnerability, tracked as CVE-2026-41246 with a CVSS score of 8.1, affects all Contour versions from v1.19.0 onward and has no available workarounds.
Project Contour is an open source Kubernetes ingress controller that deploys the Envoy proxy as a reverse proxy and load balancer. It supports dynamic configuration updates through multiple APIs, including standard Ingress, the custom HTTPProxy API, and the newer Gateway API. Contour is a CNCF project and is widely used in multi tenant Kubernetes environments where Envoy instances are shared across teams and services.
Technical Information
Root Cause: Unsanitized Template Interpolation
The vulnerability is classified under CWE 94 (Improper Control of Generation of Code). Contour's Cookie Rewriting feature is internally implemented using Envoy's HTTP Lua filter. In vulnerable versions, user controlled values from HTTPProxy custom resources are interpolated directly into Lua source code using Go's text/template package without sufficient sanitization.
The two vulnerable YAML paths in HTTPProxy manifests are:
spec.routes[].cookieRewritePolicies[].pathRewrite.valuespec.routes[].services[].cookieRewritePolicies[].pathRewrite.value
When Contour processes an HTTPProxy resource containing a cookie rewrite policy, it takes the pathRewrite.value string and embeds it into a Lua script that will be loaded by Envoy's HTTP Lua filter. Because text/template performs no Lua specific escaping, an attacker can craft a value that breaks out of the intended string literal context and injects arbitrary Lua statements.
Attack Flow
The exploitation path proceeds as follows:
-
Prerequisite: The attacker must have Kubernetes RBAC permissions to create or modify HTTPProxy resources. This is a "Low" privilege requirement in the CVSS assessment, as many development teams in multi tenant clusters are granted this level of access.
-
Payload crafting: The attacker creates or modifies an HTTPProxy resource, placing a malicious Lua payload in one of the two
pathRewrite.valuefields. The payload is designed to escape the string interpolation context within the generated Lua template. -
Code generation: Contour processes the HTTPProxy resource and generates a Lua script using Go's
text/template, embedding the attacker's unsanitized value directly into the source code. -
Execution: The generated Lua script is loaded into Envoy's HTTP Lua filter. The Lua filter executes scripts as coroutines during request and response processing. The injected code runs with the full privileges of the Lua filter whenever traffic hits the attacker's route.
-
Cross tenant impact: Although the code only triggers on the attacker's own route (which they already control), Envoy runs as shared infrastructure. The injected Lua code can:
- Read Envoy's xDS client credentials from the filesystem
- Access all Contour xDS configuration data, including TLS certificates and private keys belonging to other tenants
- Cause denial of service for all other tenants sharing the same Envoy instance
CVSS Breakdown
| Metric | Value | Notes |
|---|---|---|
| Base Score | 8.1 High | |
| Attack Vector | Network | Exploitable over a network connection |
| Privileges Required | Low | Requires RBAC permissions for HTTPProxy resources |
| Confidentiality Impact | High | xDS credentials and TLS keys can be exposed |
| Availability Impact | High | Denial of service across shared Envoy instances |
Scope Clarification
The advisory explicitly notes that other use cases of the Lua filter within Contour are not vulnerable. The risk is strictly isolated to the Cookie Rewriting feature and the specific pathRewrite.value fields.
Affected Systems and Versions
The vulnerability affects Contour versions from v1.19.0 up to (but not including) the following patched releases:
| Branch | Patched Version | Fix Approach | Envoy Requirement |
|---|---|---|---|
| 1.33.x | v1.33.4 | Removes text/template entirely; passes structured data via Envoy filterContext | Envoy 1.35.0 or later |
| 1.32.x | v1.32.5 | Escapes user provided values before interpolation into Lua code | Standard branch requirements |
| 1.31.x | v1.31.6 | Escapes user provided values before interpolation into Lua code | Standard branch requirements |
Version v1.33.4 provides the most robust architectural fix by completely eliminating the vulnerable code generation pattern. However, it requires Envoy 1.35.0 or later due to its reliance on the filterContext mechanism. Organizations running older Envoy versions should target v1.32.5 or v1.31.6.
Any Contour deployment using the Cookie Rewriting feature with user modifiable HTTPProxy resources is directly exposed. Deployments where HTTPProxy creation is restricted to trusted platform administrators carry lower practical risk, though the vulnerability still exists in the code path.
Vendor Security History
Project Contour maintains a public security advisories page on GitHub. The project has disclosed and patched several high severity issues over the years:
| Year | Advisory ID | Severity | Description |
|---|---|---|---|
| 2026 | GHSA-x4mj-7f9g-29h4 | High | Lua code injection via Cookie Path Rewrite Policy |
| 2021 | GHSA-5ph6-qq5x-7jwc | High | ExternalName Services access to Envoy admin interface |
| 2020 | GHSA-mjp8-x484-pm3r | High | Ingress data plane denial of service |
The project demonstrates a consistent pattern of coordinating patches across multiple supported branches and publishing detailed advisories. CVE-2026-41246 was reported by researcher tsaarni and disclosed through the GitHub Security Advisory process on April 20, 2026, with patched releases available at the time of disclosure.
