CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50149

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-02
Impact When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send an unrecognized SNI (one that does not match any HTTPProxy FQDN) bypass configured JWT verification and are proxied to upstream services without a valid token. To list all HTTPProxies with this invalid configuration, run kubectl get httpproxies -A -o json | jq -r ' .items[] | select(.spec.virtualhost | .tls.enableFallbackCertificate and .jwtProviders) | "Invalid HTTPProxy found: \(.metadata.namespace)/\(.metadata.name)" ' Patches This issue is fixed in Contour v1.33.5. Contour now rejects and marks invalid any HTTPProxy resources that combine .spec.virtualhost.tls.enableFallbackCertificate: true with .spec.virtualhost.jwtProviders. Affected resources will receive a status condition with the error reason TLSIncompatibleFeatures. Workarounds Do not enable .spec.virtualhost.tls.enableFallbackCertificate on HTTPProxy resources that also define .spec.virtualhost.jwtProviders. Remove one of the two settings to avoid the invalid configuration. References - Contour fallback certificate documentation: https://projectcontour.io/docs/main/config/tls-termination/#fallback-certificate - Contour JWT verification documentation: https://projectcontour.io/docs/main/config/jwt-verification/

⚡ Watch CVE-2026-50149

Get an email if CVE-2026-50149 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-50149

CVE.org record

Embed the live status

CVE-2026-50149 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50149 status](https://www.csirts.com/badge/CVE-2026-50149)](https://www.csirts.com/cve/CVE-2026-50149)