CVE ID: CVE-2026-22771
Affected Component: Envoy Gateway
Severity: High
CVSS Score: 8.8
Impact Type: Credential Disclosure → Privilege Escalation → Cluster Compromise
Exploit Availability: Public proof-of-concept examples exist (educational awareness only)
Attack Complexity: Low
Privileges Required: Low (ability to create or modify EnvoyExtensionPolicy)
Why This Vulnerability Is Dangerous
This vulnerability turns a configuration feature into a credential-theft mechanism.
Envoy Gateway supports Lua scripts for extending request and response behavior. In vulnerable versions, those Lua scripts were executed with far more access than intended. Instead of being safely isolated, they could read sensitive files inside the Envoy proxy or controller container.
Once a secret is read, the attacker does not need to “break out” of the container. They simply return the secret in a response or embed it in a Kubernetes resource status, which can be read like any normal object.
That makes this vulnerability particularly dangerous because:
- It looks like legitimate configuration activity,
- It uses built-in features rather than exploits,
- And it can silently leak credentials without crashing anything.
Realistic Attack Chain
- Initial Access
- Attacker has Kubernetes access (developer account, compromised CI/CD token, or misconfigured RBAC).
- They can create or update
EnvoyExtensionPolicy.
- Weaponization
- Attacker embeds Lua code that reads sensitive files:
- TLS private keys,
- Kubernetes service account tokens,
- Envoy internal credentials.
- Attacker embeds Lua code that reads sensitive files:
- Execution
- Envoy executes the Lua script automatically when traffic flows or during policy validation.
- Credential Exfiltration
- Secrets are returned in HTTP responses or written into resource status fields.
- No network exploitation needed.
- Post-Exploitation
- Attacker uses stolen credentials to:
- Access Kubernetes API,
- Read secrets,
- Deploy workloads,
- Move laterally across namespaces,
- Or disrupt routing and traffic.
- Attacker uses stolen credentials to:
This is not theoretical — the attack path is simple and reliable.
What Exploitation Looks Like in Logs
Key Signals
- New or modified
EnvoyExtensionPolicyobjects. - Inline Lua scripts instead of references.
- Unexpected large strings in policy status.
- PEM blocks or tokens appearing in HTTP responses.
- Controller logs containing unusually long error messages.
These signals are subtle individually, but strong when correlated.
Splunk Detection Rules
1. Detect Creation or Update of EnvoyExtensionPolicy
index=kubernetes_audit
verb IN ("create","update")
objectRef.resource="envoyextensionpolicies"
| stats count by user.username, objectRef.namespace, objectRef.name, verb
| where count > 0
Why this matters:
EnvoyExtensionPolicy objects are rarely changed in stable environments. Any creation or update should be reviewed.
2. Detect Inline Lua Usage
index=kubernetes_audit
verb IN ("create","update")
objectRef.resource="envoyextensionpolicies"
| spath input=requestObject.spec
| search requestObject.spec.lua=*
| table _time, user.username, objectRef.namespace, objectRef.name
Why this matters:
Inline Lua is the exploitation vector. Legitimate environments usually keep scripts static or disabled.
3. Detect Credential Leakage in Responses
index=envoy_access_logs
| regex response_body="-----BEGIN.*PRIVATE KEY-----|serviceaccount|token"
| table _time, source, destination, response_body
Why this matters:
TLS keys or tokens should never appear in HTTP responses.
4. Detect Suspicious Controller Errors
index=envoy_gateway_logs
| regex _raw="token|tls.key|PRIVATE KEY|BEGIN CERTIFICATE"
| stats count by host, _raw
Why this matters:
Secrets showing up in logs is almost always malicious or a serious misconfiguration.
Microsoft Sentinel (KQL) Rules
1. EnvoyExtensionPolicy Creation
KubeAuditLogs
| where verb in ("create","update")
| where ObjectRef.resource == "envoyextensionpolicies"
| project TimeGenerated, User, Namespace, Name, verb
2. Inline Lua Detection
KubeAuditLogs
| where ObjectRef.resource == "envoyextensionpolicies"
| where tostring(RequestObject.spec) contains "lua"
| project TimeGenerated, User, Namespace, Name
3. PEM or Token Leakage Detection
ContainerLog
| where LogEntry has_any ("BEGIN PRIVATE KEY","serviceaccount","tls.key")
| project TimeGenerated, ContainerName, LogEntry
4. Unusual Policy Status Content
KubeAuditLogs
| where ObjectRef.resource == "envoyextensionpolicies"
| where tostring(ResponseStatus.message) matches regex @"[A-Za-z0-9+/=]{50,}"
This flags long encoded strings that often represent secrets.
Incident Response Guidance
If you detect any of the above:
- Assume credential compromise
- Rotate all service account tokens used by Envoy
- Rotate TLS certificates
- Audit RBAC bindings for privilege abuse
- Inspect recent workloads for attacker persistence
- Upgrade Envoy Gateway immediately
Do not rely on “cleanup only.” Once secrets leak, they must be treated as stolen.
Mitigation Summary
- Restrict
EnvoyExtensionPolicycreation to trusted admins only. - Disable Lua support if not required.
- Add admission control to block inline Lua scripts.
- Monitor audit logs continuously.
- Patch to a fixed version immediately.
Official Patch / Upgrade
Upgrade Envoy Gateway using the official security advisory and fixed releases:
https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22
Final Takeaway
This vulnerability is dangerous not because it crashes systems, but because it quietly hands attackers your keys.
If an attacker can define policies, they can steal credentials.
If they steal credentials, they control the environment.
Treat configuration abuse with the same seriousness as remote code execution.
Patch quickly, restrict access aggressively, and monitor continuously.
