CVE-2026-22726

medium

Published 2026-05-01 · Modified 2026-05-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.0

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.0

Description

Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application. Routing release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).

Predictions

Exploit likelihood

60%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Application impact

Vendor	Product	Versions	Fixed
cloudfoundry	cf-deployment	`{"startIncluding":"0.0.2","endExcluding":"55.0.0"}`	`55.0.0`
cloudfoundry	routing_release	`{"startIncluding":"0.118.0","endExcluding":"0.372.0"}`	`0.372.0`

References

https://www.cloudfoundry.org/blog/cve-2026-22726-route-services-firewall-bypass/

CWEs

CWE-923

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.