CVE-2026-22726

Name of the Vulnerable Software and Affected Versions Routing release versions 0.118.0 through 0.371.0 CF Deployment versions 0.0.2 through 54.14.0

Description Route Services can be used to direct application traffic to network destinations that bypass the configured egress rules of an app. This allows a malicious developer with access to Cloudfoundry to configure a route-service that sends requests to HTTP services on internal networks reachable by the Gorouter, potentially granting access to services that were previously inaccessible from the application or external networks.

Recommendations Upgrade Routing release to version 0.372.0 or greater. Upgrade CF Deployment to version 55.0.0 or greater.