Description
Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource.



To mitigate this issue, users should upgrade to version 3.4.2.
Published: 2026-07-14
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource. To mitigate this issue, users should upgrade to version 3.4.2.
Title Cross-namespace traffic interception via incorrect route precedence ordering in AWS Load Balancer Controller
First Time appeared Amazon
Amazon aws-load-balancer-controller
Weaknesses CWE-653
CPEs cpe:2.3:a:amazon:aws-load-balancer-controller:*:*:*:*:*:*:*:*
Vendors & Products Amazon
Amazon aws-load-balancer-controller
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}


Subscriptions

Amazon Aws-load-balancer-controller
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-07-14T20:19:23.721Z

Reserved: 2026-07-14T14:02:30.277Z

Link: CVE-2026-15738

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses