CVE-2026-47692 PUBLISHED

Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream

Assigner: GitHub_M
Reserved: 19.05.2026 Published: 26.06.2026 Updated: 26.06.2026

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, PROXY Protocol v2 header generator emits TLVs beyond the maximum length of 65535 bytes, causing a mismatch between bytes written and the length field in the header. This can result in smuggled bytes on the upstream request. This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
CVSS Score: 4.8

Attack Vector	Adjacent Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	envoyproxy
Product	envoy
Versions	Version >= 1.38.0, < 1.38.3 is affected Version >= 1.37.0, < 1.37.5 is affected Version >= 1.36.0, < 1.36.9 is affected Version >= 1.34.0, < 1.35.13 is affected

References

https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r

Problem Types

CWE-130: Improper Handling of Length Parameter Inconsistency CWE