What is CVE-2026-6994?

CVE-2026-6994 is a medium-severity vulnerability in Envoy, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 6.3/10. Published 2026-04-25.

How severe is CVE-2026-6994?

Medium severity. CVSS v3 base score is 6.3 out of 10.

Vulnerability in Envoy

CVE-2026-6994

A weakness has been identified in Envoy up to 1.33.0. Affected is the function params.add of the file source/extensions/filters/http/header_mutation/header_mutation.cc of the component Query Parameter Handler. This manipulation causes inje…

EPSS: 0.001 (17.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C.

Affected products

N/a Envoy — versions 1.0, 1.1, 1.2

Weakness classification (CWE)

References

VDB-359546 | Envoy Query Parameter header_mutation.cc params.add injection (vdb-entry, technical-description)
VDB-359546 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #797241 | Envoy >= 1.33.0 Injection (CWE-74) (third-party-advisory)
github.com/envoyproxy/envoy/pull/43502/ (issue-tracking, patch)
github.com/envoyproxy/envoy/commit/f8f4f1e02fdc64ecd4acf2d903208dd7285ad3a4 (patch)

Frequently asked questions

What is CVE-2026-6994?: CVE-2026-6994 is a medium-severity vulnerability in Envoy, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 6.3/10. Published 2026-04-25.
How severe is CVE-2026-6994?: Medium severity. CVSS v3 base score is 6.3 out of 10.