Contour patches Lua injection in cookie rewriting policies

TL;DR — Contour’s Cookie Rewriting feature can be abused for Lua code injection, allowing attackers with HTTPProxy write permissions to execute arbitrary code in the shared Envoy proxy.

What happened

Contour is a Kubernetes ingress controller that programs the Envoy proxy to route and manage inbound HTTP traffic.

CVE-2026-41246 describes a Lua code injection issue in Contour’s Cookie Rewriting feature. The CVE states that an attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in spec.routes[].cookieRewritePolicies[].pathRewrite.value or spec.routes[].services[].cookieRewritePolicies[].pathRewrite.value, resulting in arbitrary code execution in the Envoy proxy. The described root cause is that user-controlled values are interpolated into Lua source code via Go text/template without sufficient sanitization.

While the injected code executes on traffic for the attacker’s own route, Envoy is commonly shared infrastructure in platform deployments—so code execution inside the proxy is a control-plane-adjacent failure mode (credential exposure and cross-tenant blast radius are realistic outcomes).

Who is impacted

• Kubernetes clusters running projectcontour/contour in affected version ranges.
• Environments where Contour’s Cookie Rewriting is enabled and where an attacker can obtain RBAC that permits creating/modifying HTTPProxy resources.

What to do now

• Follow vendor remediation guidance and apply a release that includes the fix; the CVE record states the issue is fixed in v1.33.4, v1.32.5, and v1.31.6.
• Inventory clusters running Contour and identify whether Cookie Rewriting is in use (and where HTTPProxy write permissions exist outside your most-trusted operator/admin roles).
• Treat this as a shared-infrastructure risk: if multi-tenant workloads can influence HTTPProxy resources, review RBAC bindings and tenancy boundaries around Contour/Envoy as part of the upgrade rollout.