Primary

Context

Envoy TLS Inspector Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Envoy's TLS inspector feature, present in versions prior to 1.13.0, allows for bypassing TLS client recognition by using only TLS 1.3. This occurs because the TLS extensions, such as Server Name Indication (SNI) and Application-Layer Protocol Negotiation (ALPN), were not inspected. As a result, connections could be incorrectly matched to a different filter chain, potentially bypassing certain security restrictions.

Impact

Exploitation of this vulnerability could lead to an incorrect filter chain match, allowing a client to bypass security restrictions that are dependent on the TLS inspector.

Remediation

Users can upgrade to Envoy versions 1.13.1 or 1.12.3, both of which include the necessary fix.

Added: May 15, 2026, 9:53 AM

Updated: May 15, 2026, 9:53 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Envoy TLS Inspector Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CNCF Envoy

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating