CVE-2026-6994: Envoy Query Parameter Injection via header_mutation
Envoy's header_mutation filter inserts header values into query strings without URL encoding, enabling arbitrary query-parameter injection — auth bypass, SQLi/XSS on upstream services. Affects v1.33.0+.
Summary
The header_mutation filter’s query_parameter_mutations feature inserts values from formatters (e.g. %REQ(header)%) into query strings without URL encoding. The encoding helper (PercentEncoding::urlEncode()) exists in the codebase, but this code path doesn’t call it.
Example
An attacker sets a header containing URL metacharacters:
X-Inject: alice&admin=true&sql=1'OR'1'='1Envoy copies the header value verbatim into the upstream request’s query string:
/api?user=alice&admin=true&sql=1'OR'1'='1Root cause
params.add() at header_mutation.cc:22 and toString() at utility.cc:1156 output raw values. Other Envoy filters (OAuth2, gRPC transcoder) correctly use urlEncode() for the same operation — this filter just didn’t.
Impact
- CVSS: 6.3
- Arbitrary query-parameter injection
- Authorization bypass when upstream services trust query parameters
- Enables SQLi / XSS / parameter smuggling against upstream services
- Affects: v1.33.0+
Discovery
Code review of Envoy’s header_mutation filter and query_parameter_mutations path. Confirmed end-to-end against a running Envoy instance.
Status
Fixed in PR #43502. CVE assigned.