PT-2026-58726 · Amazon · Aws-Load-Balancer-Controller
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-15738
CVSS v3.1
8.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Amazon AWS Load Balancer Controller versions prior to 3.4.2
Description
An issue exists in the Gateway API listener-rule generation where rules are ordered by route type rather than specificity when an
HTTPRoute and GRPCRoute share an ALB listener and hostname. This allows an authenticated remote user with HTTPRoute permissions in a namespace to create a crafted HTTPRoute resource that takes precedence over a narrower GRPCRoute in another namespace, potentially leading to the interception, spoofing, or denial of gRPC traffic on a shared Gateway.Recommendations
Upgrade to version 3.4.2.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aws-Load-Balancer-Controller