A flaw was found in Contour. When an HTTPProxy is configured with both a fallback certificate and JWT (JSON Web Token) providers, Contour does not properly enforce JWT verification. This allows remote attackers to bypass security checks by sending requests without a valid token, specifically when clients do not provide a TLS Server Name Indication (SNI) or provide an unrecognized SNI. The consequence is unauthorized access to upstream services and potential information disclosure.
History

Wed, 15 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Projectcontour
Projectcontour contour
Vendors & Products Projectcontour
Projectcontour contour

Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Contour. When an HTTPProxy is configured with both a fallback certificate and JWT (JSON Web Token) providers, Contour does not properly enforce JWT verification. This allows remote attackers to bypass security checks by sending requests without a valid token, specifically when clients do not provide a TLS Server Name Indication (SNI) or provide an unrecognized SNI. The consequence is unauthorized access to upstream services and potential information disclosure.
Title contour: Contour: JWT verification bypass allows unauthorized access via HTTPProxy misconfiguration
Weaknesses CWE-295
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

threat_severity

Moderate


cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-02T17:15:20Z

Links: CVE-2026-50149 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-15T14:15:15Z