What is CVE-2026-41246?

CVE-2026-41246 is a high-severity vulnerability in Projectcontour Contour, classified under Code Injection. CVSS score: 8.1/10. Published 2026-04-23.

How severe is CVE-2026-41246?

High severity. CVSS v3 base score is 8.1 out of 10.

RCE in Projectcontour Contour

CVE-2026-41246

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modi…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (21.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.

Affected products

Projectcontour Contour — versions >= 1.33.0, < 1.33.4, >= 1.32.0, < 1.32.5, >= 1.19.0, < 1.31.6

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/projectcontour/contour/security/advisories/GHSA-x4mj-7f9g-29h4 (x_refsource_CONFIRM, Patch, Vendor Advisory)
https://github.com/projectcontour/contour/releases/tag/v1.31.6 (x_refsource_MISC, Release Notes)
https://github.com/projectcontour/contour/releases/tag/v1.32.5 (x_refsource_MISC, Release Notes)
https://github.com/projectcontour/contour/releases/tag/v1.33.4 (x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-41246?: CVE-2026-41246 is a high-severity vulnerability in Projectcontour Contour, classified under Code Injection. CVSS score: 8.1/10. Published 2026-04-23.
How severe is CVE-2026-41246?: High severity. CVSS v3 base score is 8.1 out of 10.