Lua Code Injection Vulnerability in Contour Kubernetes Ingress Controller by Project Contour
CVE-2026-41246

8.1HIGH

Key Information:

Vendor

Projectcontour

Status
Contour
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41246?

The Contour Kubernetes ingress controller, utilizing the Envoy proxy, has a vulnerability associated with its Cookie Rewriting feature. This issue allows an attacker with RBAC permissions to manipulate specific HTTPProxy resource values, enabling Lua code injection. Malicious input in cookie rewrite policies could lead to arbitrary code execution within the Envoy proxy context. This poses risks including exposure of sensitive credentials and potential denial of service to other tenants sharing the Envoy instance. The issue is due to insufficient input sanitization when processing user-controlled values within Lua source code. It is imperative to upgrade to Contour versions v1.33.4, v1.32.5, or v1.31.6 to mitigate this risk.

Affected Version(s)

contour >= 1.33.0, < 1.33.4 < 1.33.0, 1.33.4

contour >= 1.32.0, < 1.32.5 < 1.32.0, 1.32.5

contour >= 1.19.0, < 1.31.6 < 1.19.0, 1.31.6

References

https://github.com/projectcontour/contour/security/adviso...
x_refsource_CONFIRM
https://github.com/projectcontour/contour/releases/tag/v1...
x_refsource_MISC
https://github.com/projectcontour/contour/releases/tag/v1...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.