Gateway API Misconfiguration in Amazon AWS Load Balancer Controller
CVE-2026-15738

5.8MEDIUM

Key Information:

Vendor

Amazon

Vendor
CVE Published:
14 July 2026

What is CVE-2026-15738?

The AWS Load Balancer Controller prior to version 3.4.2 exhibits improper behavior in the order of Gateway API listener-rule generation. This vulnerability could allow an authenticated remote user to execute malicious actions such as intercepting, spoofing, or denying access to gRPC traffic associated with another namespace on a shared Gateway. The risk arises when a crafted HTTPRoute resource is deployed, potentially compromising the integrity of network communications. Users are advised to update to version 3.4.2 to mitigate this issue.

Affected Version(s)

aws-load-balancer-controller 0 < 3.4.2

References

CVSS V4

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.