Security releases of Envoy Gateway 1.6.2 and 1.5.7 are now available

[Guy Daich]

Hello Envoy Gateway Community,

The Envoy Gateway security team would like to announce the availability of Envoy Gateway 1.6.2 and 1.5.7.

This addresses the following CVE(s):

• CVE-2026-22771 (CVSS score 8.8/10 - High) Envoy Gateway arbitrary code execution through EnvoyExtensionPolicy Lua scripts

Upgrading to 1.6.2 and 1.5.7 is encouraged to fix this issue.

• Release 1.6.2:
  • GitHub tag: https://github.com/envoyproxy/gateway/releases/tag/v1.6.2
  • Release notes: https://gateway.envoyproxy.io/news/releases/notes/v1.6.2
• Release 1.5.7:
  • GitHub tag: https://github.com/envoyproxy/gateway/releases/tag/v1.5.7
  • Release notes: https://gateway.envoyproxy.io/news/releases/notes/v1.5.7

For more information about fixed vulnerability please see the following link:

• CVE-2025-55162: https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22

Thanks,

Guy Daich on behalf of the Envoy Gateway security team and maintainers.