v1.33.4

We are delighted to present version v1.33.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

Security fix for CVE-2026-41246

This release fixes CVE-2026-41246, a Lua code injection vulnerability in Contour's Cookie Rewriting feature.

An attacker with RBAC permissions to create or modify HTTPProxy resources could craft a malicious cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. Since Envoy runs as shared infrastructure, the injected code could read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance.

The fix removes the use of text/template for generating Lua code entirely. User-provided values are now passed as structured data via Envoy's filterContext and read by a static Lua script at runtime.

Note: This release requires Envoy 1.35.0 or later.

Other Changes

• Bumps to Envoy v1.35.10.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.4 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

v1.32.5

We are delighted to present version v1.32.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

Security fix for CVE-2026-41246

This release fixes CVE-2026-41246, a Lua code injection vulnerability in Contour's Cookie Rewriting feature.

An attacker with RBAC permissions to create or modify HTTPProxy resources could craft a malicious cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. Since Envoy runs as shared infrastructure, the injected code could read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance.

The fix escapes user-provided values before interpolation into Lua code.

Other Changes

• Bumps to Envoy v1.34.14.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.32.5 is tested against Kubernetes 1.31 through 1.33.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

v1.31.6

We are delighted to present version v1.31.6 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

Security fix for CVE-2026-41246

This release fixes CVE-2026-41246, a Lua code injection vulnerability in Contour's Cookie Rewriting feature.

An attacker with RBAC permissions to create or modify HTTPProxy resources could craft a malicious cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. Since Envoy runs as shared infrastructure, the injected code could read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance.

The fix escapes user-provided values before interpolation into Lua code.

Other Changes

• Bumps to Envoy v1.34.14.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.31.6 is tested against Kubernetes 1.30 through 1.32.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.33.3

We are delighted to present version v1.33.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Bumps to Envoy v1.35.9 to address security vulnerabilities.
• Updates google.golang.org/grpc to v1.79.3, which addresses CVE-2026-33186 (Contour is not affected).
• Removes Envoy metrics hostPort: 8002 from example manifests. (#7476)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.3 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.32.4

We are delighted to present version v1.32.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Bumps to Envoy v1.34.13 to address security vulnerabilities and improve stability.
• Updates google.golang.org/grpc to v1.79.3, which addresses CVE-2026-33186 (Contour is not affected).
• Removes Envoy metrics hostPort: 8002 from example manifests. (#7476)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.32.4 is tested against Kubernetes 1.31 through 1.33.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.31.5

We are delighted to present version v1.31.5 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Bumps to Envoy v1.34.13 to address security vulnerabilities and improve stability.
• Updates google.golang.org/grpc to v1.79.3, which addresses CVE-2026-33186 (Contour is not affected).
• Removes Envoy metrics hostPort: 8002 from example manifests. (#7476)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.31.5 is tested against Kubernetes 1.30 through 1.32.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.33.2

We are delighted to present version v1.33.2 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Go to v1.25.7. See the Go release notes for more information about the content of the release.
• Fixes load balancer status update failures caused by HTTPProxy CRD schema incorrectly marking status.loadBalancer.ingress[].ports[].error as a required field. (#7408)
• Increases CPU limit for the shutdown-manager container from 50m to 200m when using the Contour Gateway Provisioner, to prevent CPU throttling. (#7382)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.2 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.32.3

We are delighted to present version v1.32.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Go to v1.24.13. See the Go release notes for more information about the content of the release.
• Fixes load balancer status update failures caused by HTTPProxy CRD schema incorrectly marking status.loadBalancer.ingress[].ports[].error as a required field. (#7408)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.32.3 is tested against Kubernetes 1.31 through 1.33.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.31.4

We are delighted to present version v1.31.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Go to v1.24.13. See the Go release notes for more information about the content of the release.
• Fixes load balancer status update failures caused by HTTPProxy CRD schema incorrectly marking status.loadBalancer.ingress[].ports[].error as a required field. (#7408)

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.31.4 is tested against Kubernetes 1.30 through 1.32.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.33.1

We are delighted to present version v1.33.1 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

• All Changes
• Installing/Upgrading
• Compatible Kubernetes Versions

All Changes

• Updates Envoy to v1.35.8. See the Envoy release notes for more information about the content of the release.
• Updates Go to v1.25.5. See the Go release notes for more information about the content of the release.

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.1 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.