github envoyproxy/envoy v1.36.7
on GitHub

latest release: v1.37.3
4 hours ago

repo: Release v1.36.7

Summary of changes:

  • Security fixes:

    • CVE-2026-47774: http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards mutable_max_request_headers_kb and max_headers_count limits, protecting against an HPACK cookie-bomb that could cause excessive memory usage. This can be reverted with envoy.reloadable_features.http2_include_cookies_in_limits.
    • oauth2: fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
    • oauth2: fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a HeaderString validation assert.
    • CVE-2026-27135: http2: applied nghttp2 CVE-2026-27135 patch.

  • Bug fixes:

    • load_report: fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.7
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.7/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.7/version_history/v1.36/v1.36.7
Full changelog:
v1.36.6...v1.36.7

Check out latest releases or
releases around envoyproxy/envoy v1.36.7

Don't miss a new envoy release

NewReleases is sending notifications on new releases.

Get notifications