CVE-2026-15738 in aws-load-balancer-controllerinfo

Summary

by MITRE • 07/15/2026

Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource.



To mitigate this issue, users should upgrade to version 3.4.2.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability described represents a critical access control flaw in the AWS Load Balancer Controller's implementation of the Gateway API specification. This issue stems from improper order handling during the generation of listener rules within the controller's processing pipeline. The flaw specifically affects versions prior to 3.4.2 and creates a scenario where authenticated remote users can exploit the misordered rule processing to manipulate traffic routing between namespaces.

The technical root cause involves the Gateway API's HTTPRoute resource processing mechanism where the controller fails to properly order the evaluation of routing rules. When multiple HTTPRoute resources exist across different namespaces, the controller incorrectly processes these rules in an order that allows a malicious user to craft a resource that intercepts or spoofs traffic intended for another namespace. This misordering creates a path where gRPC traffic can be redirected or blocked by unauthorized parties who have access to create or modify HTTPRoute objects.

The operational impact of this vulnerability extends beyond simple traffic interception, as it fundamentally compromises the namespace isolation guarantees that Kubernetes and AWS Gateway API implementations are designed to provide. An attacker with sufficient privileges to create HTTPRoute resources within a shared gateway environment can potentially perform man-in-the-middle attacks against gRPC services, leading to data exposure, service disruption, or unauthorized access to sensitive backend systems.

This vulnerability aligns with CWE-1247, which addresses improper handling of API resource ordering and validation in cloud infrastructure controllers. The flaw also demonstrates characteristics consistent with ATT&CK technique T1566.002, where adversaries manipulate network traffic through legitimate administrative interfaces to achieve unauthorized access or data interception.

The security implications are particularly severe in multi-tenant environments where multiple teams or applications share the same Gateway resources but require strict isolation between their traffic flows. The vulnerability essentially allows namespace traversal attacks where an attacker can bypass normal access controls and potentially gain visibility into or control over services belonging to other namespaces within the same shared gateway infrastructure.

Organizations should immediately implement the recommended upgrade to version 3.4.2 which addresses this ordering issue through proper rule processing sequence validation. Additional mitigations include implementing stricter RBAC policies that limit HTTPRoute creation privileges, monitoring for unusual HTTPRoute resource modifications, and conducting comprehensive security reviews of existing Gateway API configurations to identify potential exploitation vectors. The fix ensures that listener rules are properly ordered based on namespace hierarchy and priority specifications defined in the Gateway API standard, thereby restoring proper traffic isolation guarantees between different application namespaces.

Responsible

AMZN

Reservation

07/14/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!