{"id":"CVE-2026-6994","summary":"Envoy Query Parameter header_mutation.cc params.add injection","details":"A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes injection. Remote exploitation of the attack is possible. Patch name: f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4. It is suggested to install a patch to address this issue.","modified":"2026-07-08T08:13:53.031219028Z","published":"2026-04-25T19:00:19.151Z","database_specific":{"cna_assigner":"VulDB","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6994.json","cwe_ids":["CWE-707","CWE-74"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6994.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6994"},{"type":"ADVISORY","url":"https://vuldb.com/submit/797241"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/359546"},{"type":"REPORT","url":"https://vuldb.com/vuln/359546/cti"},{"type":"FIX","url":"https://github.com/envoyproxy/envoy/commit/f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4"},{"type":"FIX","url":"https://github.com/envoyproxy/envoy/pull/43502/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/envoyproxy/envoy","events":[{"introduced":"ef54a03858d0be3e7768d37b5a8c0b136b664e21"},{"fixed":"f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4"}],"database_specific":{"extracted_events":[{"introduced":"1.0"},{"last_affected":"1.0"},{"introduced":"1.1"},{"last_affected":"1.1"},{"introduced":"1.2"},{"last_affected":"1.2"},{"introduced":"1.3"},{"last_affected":"1.3"},{"introduced":"1.4"},{"last_affected":"1.4"},{"introduced":"1.5"},{"last_affected":"1.5"},{"introduced":"1.6"},{"last_affected":"1.6"},{"introduced":"1.7"},{"last_affected":"1.7"},{"introduced":"1.8"},{"last_affected":"1.8"},{"introduced":"1.9"},{"last_affected":"1.9"},{"introduced":"1.10"},{"last_affected":"1.10"},{"introduced":"1.11"},{"last_affected":"1.11"},{"introduced":"1.12"},{"last_affected":"1.12"},{"introduced":"1.13"},{"last_affected":"1.13"},{"introduced":"1.14"},{"last_affected":"1.14"},{"introduced":"1.15"},{"last_affected":"1.15"},{"introduced":"1.16"},{"last_affected":"1.16"},{"introduced":"1.17"},{"last_affected":"1.17"},{"introduced":"1.18"},{"last_affected":"1.18"},{"introduced":"1.19"},{"last_affected":"1.19"},{"introduced":"1.20"},{"last_affected":"1.20"},{"introduced":"1.21"},{"last_affected":"1.21"},{"introduced":"1.22"},{"last_affected":"1.22"},{"introduced":"1.23"},{"last_affected":"1.23"},{"introduced":"1.24"},{"last_affected":"1.24"},{"introduced":"1.25"},{"last_affected":"1.25"},{"introduced":"1.26"},{"last_affected":"1.26"},{"introduced":"1.27"},{"last_affected":"1.27"},{"introduced":"1.28"},{"last_affected":"1.28"},{"introduced":"1.29"},{"last_affected":"1.29"},{"introduced":"1.30"},{"last_affected":"1.30"},{"introduced":"1.31"},{"last_affected":"1.31"},{"introduced":"1.32"},{"last_affected":"1.32"},{"introduced":"1.33.0"},{"last_affected":"1.33.0"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["1.0","1.1","1.10","1.11","1.12","1.13","1.14","1.15","1.16","1.17","1.18","1.19","1.2","1.20","1.21","1.22","1.23","1.24","1.25","1.26","1.27","1.28","1.29","1.3","1.30","1.31","1.32","1.33.0","1.4","1.5","1.6","1.7","1.8","1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6994.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}]}