VDB
CVE-2026-26205
CVE-2026-26205
PUBLISHED
CVSS 7.099999904632568 HIGH
opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path
EPSS 0.13% · 32.9th percentile
Risk Scores
CVSS v4.0
7.099999904632568
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
EPSS Score
0.13%
32.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | open-policy-agent/opa-envoy-plugin | 0 |
| open-policy-agent | opa-envoy-plugin | < 1.13.2-envoy-2 |
Timeline
- Feb 18, 2026 CVE Published
- Feb 19, 2026 CVE Updated
- Feb 20, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
- Feb 25, 2026 EPSS Score
- Feb 27, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 2, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
References
- https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w url
- https://github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3 url
- https://github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-26205 advisory
- https://github.com/open-policy-agent/opa-envoy-plugin package