github projectcontour/contour v1.33.4
on GitHub

8 hours ago

We are delighted to present version v1.33.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

  • All Changes
  • Installing/Upgrading
  • Compatible Kubernetes Versions

All Changes

Security fix for CVE-2026-41246

This release fixes CVE-2026-41246, a Lua code injection vulnerability in Contour's Cookie Rewriting feature.

An attacker with RBAC permissions to create or modify HTTPProxy resources could craft a malicious cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. Since Envoy runs as shared infrastructure, the injected code could read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance.

The fix removes the use of text/template for generating Lua code entirely. User-provided values are now passed as structured data via Envoy's filterContext and read by a static Lua script at runtime.

Note: This release requires Envoy 1.35.0 or later.

Other Changes

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.4 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Check out latest releases or
releases around projectcontour/contour v1.33.4

Don't miss a new contour release

NewReleases is sending notifications on new releases.

Get notifications