GO-2026-4506 — Vulnetix

GO-2026-4506 PUBLISHED

opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path in github.com/open-policy-agent/opa-envoy-plugin

Affected Products

Vendor	Product	Versions
github.com	open-policy-agent/opa-envoy-plugin	0, 0

Timeline

Feb 23, 2026 CVE Published
Feb 24, 2026 CVE Updated
May 1, 2026 Security Advisory

References

https://github.com/open-policy-agent/opa-envoy-plugin/security/advisories/GHSA-9f29-v6mm-pw6w advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-26205 advisory
https://github.com/open-policy-agent/opa-envoy-plugin/commit/58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3 patch
https://github.com/open-policy-agent/opa-envoy-plugin/releases/tag/v1.13.2-envoy-2 url

Open in Interactive Console →