プラットフォーム
go
コンポーネント
github.com/envoyproxy/gateway
修正版
1.5.8
1.6.1
1.6.2
1.5.7
CVE-2026-22771 describes a critical vulnerability affecting Envoy Gateway, specifically related to the handling of Extension Policy Lua scripts. This flaw enables an attacker to inject malicious Lua code, leading to arbitrary command execution on the server. The vulnerability impacts versions prior to 1.5.7 and a patch has been released to address it.
The core of this vulnerability lies in the insecure handling of Lua scripts used within Envoy Gateway's Extension Policies. An attacker who can inject malicious Lua code can execute arbitrary commands on the host system running Envoy Gateway. This could lead to complete system compromise, including data exfiltration, installation of malware, and denial of service. The potential blast radius is significant, particularly in environments where Envoy Gateway is used as a central point of ingress and traffic management. This vulnerability shares similarities with other script injection flaws where untrusted input is processed without proper sanitization, potentially allowing for remote code execution.
CVE-2026-22771 was publicly disclosed on January 23, 2026. The EPSS score is currently pending evaluation. There are no known public proof-of-concept exploits available at this time, but the severity and potential impact warrant immediate attention. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations heavily reliant on Envoy Gateway for traffic management and API routing are particularly at risk. This includes those deploying microservices architectures, cloud-native applications, and service meshes. Environments using custom Extension Policies with untrusted Lua scripts are especially vulnerable.
• go / server:
ps aux | grep envoy | grep -i lua• go / server:
journalctl -u envoy -g 'lua script injection'• generic web:
curl -I <envoy_gateway_url>/_healthcheck | grep -i luadisclosure
エクスプロイト状況
EPSS
0.00% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-22771 is to immediately upgrade Envoy Gateway to version 1.5.7 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization for all Lua scripts used in Extension Policies. Employing a Web Application Firewall (WAF) with rules to detect and block malicious Lua code injection attempts can provide an additional layer of defense. Review and audit all existing Extension Policy Lua scripts to identify and remove any potentially vulnerable code. After upgrading, verify the fix by attempting to inject a known malicious Lua script and confirming that it is blocked.
Actualice Envoy Gateway a la versión 1.5.7 o superior, o a la versión 1.6.2 o superior. Esto corrige la vulnerabilidad de inyección de scripts Lua que permite la ejecución de comandos arbitrarios y el acceso a credenciales sensibles. Asegúrese de seguir las instrucciones de actualización proporcionadas por envoyproxy.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-22771 is a HIGH severity vulnerability in Envoy Gateway allowing arbitrary command execution through malicious Lua script injection in Extension Policies before version 1.5.7.
If you are running Envoy Gateway versions prior to 1.5.7 and utilize Extension Policies with Lua scripts, you are potentially affected by this vulnerability.
Upgrade Envoy Gateway to version 1.5.7 or later to remediate the vulnerability. Implement stricter input validation for Lua scripts as an interim measure.
There are currently no known public exploits, but the vulnerability's severity warrants immediate action and monitoring for exploitation attempts.
Refer to the official Envoy Gateway security advisories and GitHub repository for the latest information and updates regarding CVE-2026-22771.
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。