Envoy vulnerabilities: known CVEs & security history
Envoy Proxy · Proxy · 95 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Envoy release lines — 95 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Envoy's current status and the safe version to run.
Known Envoy CVEs
Actively-exploited and most-severe first. Showing the top 80 of 95. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2023-44487⚡ exploited | high | 7.5 | 100% | 2023 |
| CVE-2022-29226 | critical | 10 | 1% | 2022 |
| CVE-2019-18802 | critical | 9.8 | 2% | 2019 |
| CVE-2019-18801 | critical | 9.8 | 3% | 2019 |
| CVE-2020-35470 | high | 8.8 | 1% | 2020 |
| CVE-2024-23324 | high | 8.6 | 1% | 2024 |
| CVE-2023-35941 | high | 8.6 | 1% | 2023 |
| CVE-2021-39206 | high | 8.6 | 1% | 2021 |
| CVE-2021-39162 | high | 8.6 | 2% | 2021 |
| CVE-2021-32781 | high | 8.6 | 1% | 2021 |
| CVE-2021-32780 | high | 8.6 | 1% | 2021 |
| CVE-2021-32779 | high | 8.6 | 1% | 2021 |
| CVE-2021-32777 | high | 8.6 | 3% | 2021 |
| CVE-2020-25017 | high | 8.3 | 1% | 2020 |
| CVE-2019-9900 | high | 8.3 | 4% | 2019 |
| CVE-2023-35944 | high | 8.2 | 1% | 2023 |
| CVE-2023-27487 | high | 8.2 | 1% | 2023 |
| CVE-2021-21378 | high | 8.2 | 2% | 2021 |
| CVE-2023-27493 | high | 8.1 | 1% | 2023 |
| CVE-2021-29492 | high | 8.1 | 68% | 2021 |
| CVE-2026-26308 | high | 7.5 | 0% | 2026 |
| CVE-2025-62409 | high | 7.5 | 0% | 2025 |
| CVE-2025-54588 | high | 7.5 | 0% | 2025 |
| CVE-2024-53270 | high | 7.5 | 1% | 2024 |
| CVE-2024-45807 | high | 7.5 | 0% | 2024 |
| CVE-2024-34363 | high | 7.5 | 1% | 2024 |
| CVE-2024-32976 | high | 7.5 | 1% | 2024 |
| CVE-2024-32475 | high | 7.5 | 1% | 2024 |
| CVE-2024-27919 | high | 7.5 | 87% | 2024 |
| CVE-2024-23327 | high | 7.5 | 1% | 2024 |
| CVE-2024-23325 | high | 7.5 | 1% | 2024 |
| CVE-2024-23322 | high | 7.5 | 1% | 2024 |
| CVE-2023-35945 | high | 7.5 | 1% | 2023 |
| CVE-2022-29228 | high | 7.5 | 1% | 2022 |
| CVE-2022-29227 | high | 7.5 | 1% | 2022 |
| CVE-2022-29225 | high | 7.5 | 1% | 2022 |
| CVE-2022-21655 | high | 7.5 | 1% | 2022 |
| CVE-2021-43826 | high | 7.5 | 1% | 2022 |
| CVE-2021-43824 | high | 7.5 | 1% | 2022 |
| CVE-2021-39204 | high | 7.5 | 2% | 2021 |
| CVE-2021-29258 | high | 7.5 | 2% | 2021 |
| CVE-2021-28683 | high | 7.5 | 2% | 2021 |
| CVE-2021-28682 | high | 7.5 | 2% | 2021 |
| CVE-2020-35471 | high | 7.5 | 2% | 2020 |
| CVE-2020-25018 | high | 7.5 | 1% | 2020 |
| CVE-2020-8663 | high | 7.5 | 1% | 2020 |
| CVE-2020-12605 | high | 7.5 | 1% | 2020 |
| CVE-2020-12604 | high | 7.5 | 2% | 2020 |
| CVE-2020-12603 | high | 7.5 | 1% | 2020 |
| CVE-2019-18838 | high | 7.5 | 2% | 2019 |
| CVE-2019-18836 | high | 7.5 | 2% | 2019 |
| CVE-2019-15226 | high | 7.5 | 65% | 2019 |
| CVE-2019-15225 | high | 7.5 | 3% | 2019 |
| CVE-2022-21656 | high | 7.4 | 1% | 2022 |
| CVE-2022-21654 | high | 7.4 | 1% | 2022 |
| CVE-2024-53271 | high | 7.1 | 1% | 2024 |
| CVE-2022-21657 | medium | 6.8 | 0% | 2022 |
| CVE-2025-64527 | medium | 6.5 | 0% | 2025 |
| CVE-2025-62504 | medium | 6.5 | 0% | 2025 |
| CVE-2025-30157 | medium | 6.5 | 0% | 2025 |
| CVE-2024-45810 | medium | 6.5 | 1% | 2024 |
| CVE-2024-45808 | medium | 6.5 | 0% | 2024 |
| CVE-2024-45806 | medium | 6.5 | 0% | 2024 |
| CVE-2024-39305 | medium | 6.5 | 1% | 2024 |
| CVE-2023-35942 | medium | 6.5 | 1% | 2023 |
| CVE-2023-27496 | medium | 6.5 | 1% | 2023 |
| CVE-2019-9901 | medium | 6.5 | 3% | 2019 |
| CVE-2025-55162 | medium | 6.3 | 0% | 2025 |
| CVE-2023-35943 | medium | 6.3 | 1% | 2023 |
| CVE-2021-43825 | medium | 6.1 | 1% | 2022 |
| CVE-2026-26311 | medium | 5.9 | 0% | 2026 |
| CVE-2026-26310 | medium | 5.9 | 0% | 2026 |
| CVE-2024-34362 | medium | 5.9 | 1% | 2024 |
| CVE-2024-32975 | medium | 5.9 | 1% | 2024 |
| CVE-2024-32974 | medium | 5.9 | 1% | 2024 |
| CVE-2024-23326 | medium | 5.9 | 0% | 2024 |
| CVE-2022-29224 | medium | 5.9 | 1% | 2022 |
| CVE-2021-32778 | medium | 5.8 | 1% | 2021 |
| CVE-2024-34364 | medium | 5.7 | 0% | 2024 |
| CVE-2023-27491 | medium | 5.4 | 1% | 2023 |
15 older / lower-severity CVEs not shown — see Envoy's full record.
Is my Envoy version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Envoy version → · Monitor Envoy for new CVEs →
Envoy vulnerabilities — frequently asked
How many known vulnerabilities does Envoy have?
IsItPatched tracks 95 CVEs for Envoy, 1 of which is actively exploited (CISA KEV). 3 are critical-severity and 53 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Envoy have any actively-exploited vulnerabilities?
Yes — 1 Envoy CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild. Patch it as a priority.
What is the most severe Envoy vulnerability?
Among tracked issues, CVE-2023-44487 (HIGH, CVSS 7.5), which is actively exploited, ranks highest — a Uncontrolled resource consumption weakness.
Is Envoy safe to use?
It depends on the version. The latest supported Envoy release (1.38.2) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Envoy security status · Envoy end-of-life · actively-exploited CVEs. Always verify against Envoy Proxy's advisories — see our disclaimer.