Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource.
To mitigate this issue, users should upgrade to version 3.4.2.
{
"cwe_ids": [
"CWE-653"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15738.json",
"cna_assigner": "AMZN"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.4.2"
}
],
"source": [
"AFFECTED_FIELD",
"DESCRIPTION",
"REFERENCES"
]
}