Summary of changes:
-
Security fixes:
- CVE-2026-26308: fix multivalue header bypass in rbac
- CVE-2026-26310: network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
- CVE-2026-26309: json: fixed an off-by-one write that could corrupted the string null terminator
- CVE-2026-26311: http: ensure decode* methods are blocked after a downstream reset
-
Bug fix:
- Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
-
Dependency updates:
- Migrated googleurl source to GitHub (
google/gurl). - Updated Kafka test binary to 3.9.2.
- Updated Docker base images.
- Migrated googleurl source to GitHub (
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.9/version_history/v1.35/v1.35.9
Full changelog:
v1.35.8...v1.35.9
Signed-off-by: Ryan Northey ryan@synca.io
Signed-off-by: Boteng Yao boteng@google.com