CVE-2026-22726 Overview
CVE-2026-22726 is a firewall bypass vulnerability in Cloud Foundry that abuses Route Services to redirect application traffic outside of configured egress rules. A malicious developer with access to Cloud Foundry can configure a route-service that forwards requests to HTTP services on internal networks reachable by the Gorouter. These internal destinations may not have direct exposure from outside networks or from the application itself, enabling lateral access to restricted services.
The issue affects the Cloud Foundry routing_release from v0.118.0 through v0.371.0 (inclusive) and cf-deployment from v0.0.2 through v54.14.0 (inclusive). The flaw is tracked under CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints).
Critical Impact
An authenticated developer can reach internal HTTP services through the Gorouter, bypassing application security group egress controls and exposing services that should remain isolated.
Affected Products
- Cloud Foundry routing_release versions v0.118.0 through v0.371.0
- Cloud Foundry cf-deployment versions v0.0.2 through v54.14.0
- Deployments using Gorouter with Route Services enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-22726 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-22726
Vulnerability Analysis
Cloud Foundry Route Services let operators and developers bind external or internal services that intercept and process requests before they reach an application. The Gorouter forwards inbound traffic to the configured route-service URL, which then proxies the request back to the original destination. This trust model assumes the route-service URL is constrained by the same egress policies that govern application traffic.
In affected versions, the Gorouter does not enforce application security groups (ASGs) or egress rules when dispatching to a route-service destination. A developer with permission to register route-services can supply a URL pointing to internal HTTP endpoints. The Gorouter then issues the request from its own network position, which typically has broader reachability than tenant applications.
The outcome is a confused-deputy scenario. The Gorouter performs the network call on behalf of the developer-controlled configuration, granting access to internal management interfaces, metadata services, or other infrastructure components that ASGs were intended to block.
Root Cause
The root cause is improper restriction of the communication channel exposed through Route Services. The routing layer treats route-service URLs as trusted endpoints and skips the egress validation applied to direct application traffic. This mismatch between the security model for app-originated traffic and route-service-originated traffic produces the bypass.
Attack Vector
Exploitation requires authenticated access to a Cloud Foundry environment with permission to create or bind route-services. The attacker registers a user-provided route-service whose URL targets an internal HTTP service reachable by the Gorouter. Subsequent requests routed through the bound application cause the Gorouter to issue traffic to the attacker-specified internal URL. No user interaction is needed beyond the initial configuration, and the attack is performed entirely over the network.
The vulnerability mechanism is described in the Cloud Foundry security advisory. No public proof-of-concept exploit is currently available.
Detection Methods for CVE-2026-22726
Indicators of Compromise
- Route-service registrations referencing internal IP ranges, loopback addresses, or non-public hostnames in the configured URL.
- Gorouter access logs showing outbound requests to internal subnets that do not align with documented service endpoints.
- Unexpected user-provided service instances of type route-service created by developer accounts.
Detection Strategies
- Audit Cloud Foundry CAPI for all route-service bindings and inspect the route_service_url field for destinations outside approved egress ranges.
- Correlate Gorouter request logs with ASG policy to identify traffic patterns that should have been blocked by egress rules but were issued by the router.
- Review CF audit events for audit.service_instance.create and audit.service_binding.create entries tied to route-services.
Monitoring Recommendations
- Forward Gorouter access logs and CAPI audit events to a centralized analytics platform for continuous review.
- Alert on route-service URLs containing private RFC1918 ranges, link-local addresses, or internal DNS suffixes.
- Track the routing_release and cf-deployment versions in use across foundations to confirm patch coverage.
How to Mitigate CVE-2026-22726
Immediate Actions Required
- Upgrade routing_release to v0.372.0 or later, which contains the egress enforcement fix.
- Upgrade cf-deployment to v55.0.0 or later, which bundles the patched routing release.
- Inventory existing route-service bindings and remove any that target internal-only destinations not explicitly authorized.
Patch Information
Cloud Foundry has released fixed versions. Operators should deploy routing_releasev0.372.0 or newer, or upgrade the entire foundation to cf-deploymentv55.0.0 or newer. Refer to the Cloud Foundry advisory for upgrade procedures and verification steps.
Workarounds
- Restrict the developer roles that can create user-provided service instances of type route-service until the patch is deployed.
- Place network-level controls between the Gorouter and sensitive internal HTTP services to deny unsolicited traffic.
- Monitor and review all newly registered route-service URLs against an allowlist of approved external destinations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
