Skip to main content

Cloud Foundry Routing Release CVE-2026-22726

MEDIUM
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
2026-04-30 vmware
Information Disclosure Routing Release Cf Deployment
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 30, 2026 - 23:46 vuln.today
Analysis Generated
Apr 30, 2026 - 23:30 vuln.today
CVE Published
Apr 30, 2026 - 23:17 nvd
MEDIUM 5.0

DescriptionCVE.org

Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application. Routing release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).

AnalysisAI

Route Services in Cloud Foundry Routing Release v0.118.0-v0.371.0 and CF Deployment v0.0.2-v54.14.0 allow authenticated malicious developers to bypass application egress rules by configuring route-services that redirect traffic to internal network destinations otherwise unreachable from external networks or the application itself. This affects the scope of the routing infrastructure, enabling information disclosure and potential lateral movement within the Gorouter network.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as developer on CF platform
Delivery
Create malicious route-service pointing to internal target
Exploit
Assign route-service to application route
Install
Intercept HTTP traffic via route-service proxy
C2
Forward requests to internal network service
Execute
Extract or probe internal service data
Impact
Exfiltrate or enumerate information
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must possess authenticated developer access to Cloud Foundry (PR:L) - specifically, the ability to create or modify routes and assign route-services to applications. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.0 with CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L indicates network-accessible exploitation by authenticated users (PR:L - requires login/developer role) with low complexity, no user interaction, and scope change to other systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious developer with Cloud Foundry platform credentials creates a route-service and assigns it to an application they control. The route-service is configured to intercept HTTP requests and forward them to an internal database server, cache service, or management interface that is normally unreachable from external networks or from other applications. …
Remediation Upgrade Routing Release to v0.372.0 or greater. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22726 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy