v1.5.2

Updated Envoy Gateway to v1.5.7

Security Updates

• Bump Envoy to v1.35.8.
• Fixed CVE-2026-22771: arbitrary code execution through EnvoyExtensionPolicy Lua scripts.

Bug Fixes

• Fixed an issue where observedGeneration is missing from the EnvoyPatchPolicy status.
• Fixed ExternalTrafficPolicy not being applied to Envoy Service when ServiceType is NodePort.
• Fixed an issue where BackendTrafficPolicy does not validate the maximum value of the requestBuffer limit.
• Fixed an issue where port forward not working on OpenTelemetry collector pods.
• Fixed a potential goroutine leak when config reloads.