7.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-26205

CVE-2026-26205: opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path

A security vulnerability has been discovered in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served.

Attack example

HTTP request:

GET //admin/users HTTP/1.1
Host: example.com

Policy sees:

The leading //admin path segment is interpreted as an authority component, and dropped from input.parsed_path field:

{
  "parsed_path": ["users"]
}

Backend receives:

//admin/users path, normalized to /admin/users.

Affected Request Pattern Examples

Impact

Users are impacted if all the following conditions apply:

Protected resources are path-hierarchical (e.g., /admin/users vs /users)
Authorization policies use input.parsed_path for path-based decisions
Backend servers apply lenient path normalization

Patches

Go: v1.13.2-envoy-2 Docker: 1.13.2-envoy-2, 1.13.2-envoy-2-static

Workarounds

Users who cannot immediately upgrade opa-envoy-plugin are recommended to apply one, or more, of the workarrounds described below.

1. Enable the `merge_slashes` Envoy configuration option

As per Envoy best practices, enabling the merge_slashes configuration option in Envoy will remove redundant slashes from the request path before filtering is applied, effectively mitigating the input.parsed_path issue described in this advisory.

2. Use `input.attributes.request.http.path` instead of `input.parsed_path` in policies

The input.attributes.request.http.path field contains the unprocessed, raw request path. Users are recommended to update any policy using input.parsed_path to instead use the input.attributes.request.http.path field.

Example

package example

# Use instead of input.parsed_path
parsed_path := split(                                        # tokenize into array
	trim_left(                                               # drop leading slashes
		urlquery.decode(input.attributes.request.http.path), # url-decode the path
		"/",
	),
	"/",
)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-26205

CVE-2026-26205:

7.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/open-policy-agent/opa-envoy-plugin	go	<= 1.13.1-envoy	1.13.2-envoy-2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the misinterpretation of HTTP request paths containing a leading double slash (//), causing an authorization bypass. The root cause is the use of Go's url.Parse function in getParsedPathAndQuery within envoyauth/request.go. This function incorrectly treats a segment of the path as a network authority (e.g., a hostname) and removes it from the input.parsed_path field that OPA policies rely on for authorization decisions. For example, a request to //admin/resource would be seen by the policy as a request for /resource, bypassing any controls specific to the /admin path.

The patch provided in commit 58c44d4ec408d5852d1d0287599e7d5c5e2bc5c3 rectifies this by removing the usage of url.Parse for path parsing. Instead, it manually separates the path and query, and then safely unescapes the path. This ensures that the input.parsed_path accurately reflects the requested path, preventing the bypass. The vulnerable function is getParsedPathAndQuery as it contains the flawed parsing logic.

Vulnerable functions

getParsedPathAndQuery

envoyauth/request.go

The function used `url.Parse` on the request path, which incorrectly interprets a path starting with `//` as having an authority component, stripping it from the parsed path. This discrepancy between the path seen by the policy and the one seen by the backend server allows for an authorization bypass.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-26205: opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path

Attack example

Affected Request Pattern Examples

Impact

Patches

Workarounds

1. Enable the merge_slashes Envoy configuration option

2. Use input.attributes.request.http.path instead of input.parsed_path in policies

Example

CVE-2026-26205:

7.1

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

7.1

7.1

Basic Information

Basic Information

CVE-2026-26205: opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path

Attack example

Affected Request Pattern Examples

Impact

Patches

Workarounds

1. Enable the merge_slashes Envoy configuration option

2. Use input.attributes.request.http.path instead of input.parsed_path in policies

Example

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

1. Enable the `merge_slashes` Envoy configuration option

2. Use `input.attributes.request.http.path` instead of `input.parsed_path` in policies

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

1. Enable the `merge_slashes` Envoy configuration option

2. Use `input.attributes.request.http.path` instead of `input.parsed_path` in policies

Vulnerability Intelligence
Miggo AI