CVE-2026-15738 - Issue with AWS Load Balancer Controller Cross-Namespace Traffic Interception via HTTPRoute/GRPCRoute Priority Ordering
Bulletin ID: 2026-055-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/14/2026 13:15 PM PDT
Description:
The AWS Load Balancer Controller is an open-source Kubernetes controller that manages AWS Elastic Load Balancing resources for Kubernetes clusters. We identified CVE-2026-15738, an incorrect rule precedence ordering issue in the Gateway API listener rule generation logic. When both an HTTPRoute and a GRPCRoute are attached to the same Application Load Balancer (ALB) HTTPS listener with the same hostname, the controller assigns ALB listener rule priorities based on route kind rather than route specificity. This causes all HTTPRoute-derived rules to receive lower ALB priority numbers, evaluated first by the ALB, than GRPCRoute-derived rules, regardless of which route is more specific. A namespace-scoped user with permission to create HTTPRoute objects in a namespace admitted by a shared Gateway can create a catch-all HTTPRoute that intercepts traffic intended for a more-specific GRPCRoute in another namespace.
Impacted versions: AWS Load Balancer Controller v3.4.1 and any version that includes support for attaching both HTTPRoute and GRPCRoute to the same listener (introduced in PR #4794)
Resolution:
This issue has been addressed in AWS Load Balancer Controller version 3.4.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
Restrict the Gateway listener AllowedRoutes.Namespaces.From field to Same, or configure a restrictive namespace Selector that limits which namespaces may attach routes to the shared Gateway. This prevents untrusted namespaces from attaching HTTPRoute objects that could interfere with GRPCRoute rules in other namespaces.
References:
Acknowledgement:
We would like to thank hakuopi for collaborating on this issue through the coordinated vulnerability disclosure process.
Please email aws-security@amazon.com with any security questions or concerns.