CVE-2026-26308

Envoy CVE-2026-26308 affects the Envoy RBAC filter. The issue arises from how multiple HTTP header values are validated: instead of validating each value separately, Envoy concatenates all values into a single comma-separated string, allowing bypass of Deny rules under RBAC. Affects versions prio...

EUVD-2026-10798

Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation...