CVE-2026-15738

Summary

Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource.

To mitigate this issue, users should upgrade to version 3.4.2.

Affected Software

VendorProductVersion RangeStatus
Amazonaws-load-balancer-controller0 < 3.4.2affected

Weaknesses

  • CWE-653: CWE-653 Improper isolation or compartmentalization

References