🟠 High  |  Source: AWS Security Bulletins


A flaw in the AWS Load Balancer Controller (CVE-2026-15738) causes incorrect priority ordering when both HTTPRoute and GRPCRoute objects share the same ALB HTTPS listener. Because the controller assigns rule priorities by route type rather than specificity, a user with permission to create HTTPRoute objects in one namespace can craft a catch-all rule that intercepts traffic destined for a more-specific GRPCRoute in a different namespace. This enables cross-namespace traffic interception in multi-tenant Kubernetes clusters using the Gateway API.

Security Architect’s Take: Audit any shared Gateway configurations where both HTTPRoute and GRPCRoute objects attach to the same ALB listener, and restrict HTTPRoute creation permissions in shared namespaces until you have patched to a fixed version of the AWS Load Balancer Controller beyond v3.4.1.

Original advisory: CVE-2026-15738 - Issue with AWS Load Balancer Controller Cross-Namespace Traffic Interception via HTTPRoute/GRPCRoute Priority Ordering