Blog » CVE-2026-6994

CVE-2026-6994

25 Apr 2026 cve vulnerability

CVE-2026-6994

CVE-2026-6994 - Envoy Header Mutation Injection Vulnerability

Descripción de la Vulnerabilidad

A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible.

Sistemas Afectados

Envoy Proxy: Version 1.33.0 and prior (specifically up to 1.33.0).
Components Implicados: Query Parameter Handler, Header Mutation Filters.

Impacto y Explotabilidad

This vulnerability allows unauthorized users or attackers who have access to the Envoy proxy configuration (specifically the header mutation settings) to inject malicious headers into query parameters. This can be used for:

Cross-Site Request Forgery (CSRF): Attacking web applications relying on authenticated requests.
Data Injection: Manipulating search results or user inputs through header manipulation.

Vulnerability Severity: MEDIUM (CVSS 6.3). Attack requires Local Access but has Remote Impact.**

Indicadores de Compromiso (IOCs)

Tipo	Valor/URL	Contexto/Españo
Vulnerability URL:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6994	Public CVE database entry.

No hay Indicadores de Compromiso publicos disponibles. Se recomienda verificar el entorno local para detectar versiones anteriores a 1.32.0.

Mitigación y Parches

Patch Name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4

Instalación del Patch (Envoy 1.33+)

git clone https://github.com/envoyproxy/envoy.git
cd envoy
git checkout v1.33.0-rc2 # o la versión con el patch instalado

# Reemplazar archivo fuente
sed -i '/header_mutation.cc/d' extensions/filters/http/header_mutation/
sed -i 's/params.add(/{ {<param_name>/' extensions/filters/http/header_mutation/header_mutation.cc
git add .
git commit -m "Apply CVE-2026-6994 patch to prevent header mutation injection"

# Opción 1: Reinstalar Envoy completo
cargo install envoy --path ./envoy-bin

# Opción 2: Reinstalación con patch directo si es versión antigua
pip3 install "envoy>=1.32.0,<1.34.0" # Si se usa pip

Nómina: En versiones anteriores a 1.32.0, actualizar a una versión estable más reciente (v1.32.x o superior) es la recomendación prioritaria para mitigar este riesgo.

Prioridad Alta: Actualizar a Envoy v1.40.x y superiores inmediatamente.

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me