Incorrect Authorization Affecting opa-fips-envoy package, versions <1.13.2_p2-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

Social Trends
EPSS
0.38% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-OPAFIPSENVOY-15351472
  • published25 Feb 2026
  • disclosed19 Feb 2026

Introduced: 19 Feb 2026

CVE-2026-26205  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade Chainguard opa-fips-envoy to version 1.13.2_p2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream opa-fips-envoy package and not the opa-fips-envoy package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the input.parsed_path field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (//) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.