CVE-2026-22726

Source
https://cve.org/CVERecord?id=CVE-2026-22726
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22726.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22726
Published
2026-04-30T23:17:00.707Z
Modified
2026-07-15T01:48:54.726212318Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
Summary
Route Services Firewall Bypass
Details

Route Services can be leveraged to send app traffic to network destinations outside of an app's configured egress rules. As a result, a malicious developer with access to Cloudfoundry could configure a route-service that would allow it to send requests to HTTP services on internal networks reachable by the Gorouter, which may not have previously had direct access from outside networks, or from the application. Routing release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater. CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0).

Database specific
{
    "cwe_ids": [
        "CWE-923"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22726.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "v0.118.0"
                },
                {
                    "fixed": "v0.372.0"
                },
                {
                    "introduced": "v0.0.2"
                },
                {
                    "fixed": "v55.0.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "introduced": "v0.118.0"
                },
                {
                    "fixed": "v0.371.0"
                },
                {
                    "introduced": "v0.0.2"
                },
                {
                    "fixed": "v54.14.0"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "cna_assigner": "vmware"
}
References

Affected packages

Git / github.com/cloudfoundry/cf-deployment

Affected ranges

Type
GIT
Repo
https://github.com/cloudfoundry/cf-deployment
Events
Database specific
{
    "cpe": "cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.0.2"
        },
        {
            "fixed": "55.0.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v0.*
v0.0.2
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.2.0
v0.2.1
v0.2.2
v0.28.0
v0.29.0
v0.3.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.37.0
v0.5.0
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.28.0
v1.29.0
v1.3.0
v1.30.0
v1.31.0
v1.32.0
v1.33.0
v1.34.0
v1.35.0
v1.36.0
v1.37.0
v1.38.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0
v10.*
v10.0.0
v10.1.0
v11.*
v11.0.0
v11.1.0
v11.2.0
v12.*
v12.0.0
v12.1.0
v12.10.0
v12.11.0
v12.12.0
v12.13.0
v12.14.0
v12.15.0
v12.16.0
v12.17.0
v12.18.0
v12.19.0
v12.2.0
v12.20.0
v12.21.0
v12.22.0
v12.23.0
v12.24.0
v12.25.0
v12.26.0
v12.27.0
v12.28.0
v12.29.0
v12.3.0
v12.30.0
v12.31.0
v12.32.0
v12.33.0
v12.34.0
v12.35.0
v12.36.0
v12.37.0
v12.38.0
v12.39.0
v12.4.0
v12.40.0
v12.41.0
v12.42.0
v12.43.0
v12.44.0
v12.45.0
v12.5.0
v12.6.0
v12.7.0
v12.8.0
v12.9.0
v13.*
v13.0.0
v13.1.0
v13.10.0
v13.11.0
v13.12.0
v13.13.0
v13.14.0
v13.15.0
v13.16.0
v13.17.0
v13.18.0
v13.19.0
v13.2.0
v13.20.0
v13.21.0
v13.22.0
v13.23.0
v13.3.0
v13.4.0
v13.5.0
v13.6.0
v13.7.0
v13.8.0
v13.9.0
v14.*
v14.0.0
v15.*
v15.0.0
v15.1.0
v15.2.0
v15.3.0
v15.4.0
v15.5.0
v15.6.0
v15.7.0
v16.*
v16.0.0
v16.1.0
v16.10.0
v16.11.0
v16.12.0
v16.13.0
v16.14.0
v16.15.0
v16.16.0
v16.17.0
v16.18.0
v16.19.0
v16.2.0
v16.20.0
v16.21.0
v16.22.0
v16.23.0
v16.24.0
v16.25.0
v16.3.0
v16.4.0
v16.5.0
v16.6.0
v16.7.0
v16.8.0
v16.9.0
v17.*
v17.0.0
v17.1.0
v18.*
v18.0.0
v19.*
v19.0.0
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v20.*
v20.0.0
v20.1.0
v20.2.0
v20.3.0
v20.4.0
v21.*
v21.0.0
v21.1.0
v21.10.0
v21.11.0
v21.2.0
v21.3.0
v21.4.0
v21.5.0
v21.6.0
v21.7.0
v21.8.0
v21.9.0
v22.*
v22.0.0
v22.1.0
v22.2.0
v23.*
v23.0.0
v23.1.0
v23.2.0
v23.3.0
v23.4.0
v23.5.0
v24.*
v24.0.0
v24.1.0
v24.2.0
v24.3.0
v24.4.0
v24.7.0
v25.*
v25.0.0
v25.1.0
v26.*
v26.0.0
v26.1.0
v26.2.0
v26.3.0
v26.4.0
v26.5.0
v26.6.0
v26.7.0
v27.*
v27.0.0
v27.1.0
v27.2.0
v27.4.0
v27.5.0
v27.6.0
v27.7.0
v27.8.0
v28.*
v28.0.0
v28.1.0
v28.2.0
v29.*
v29.0.0
v29.1.0
v3.*
v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v30.*
v30.0.0
v30.1.0
v30.10.0
v30.2.0
v30.3.0
v30.4.0
v30.5.0
v30.6.0
v30.7.0
v30.8.0
v30.9.0
v31.*
v31.0.0
v31.1.0
v31.2.0
v31.3.0
v31.4.0
v31.5.0
v31.6.0
v32.*
v32.0.0
v32.1.0
v32.10.0
v32.11.0
v32.12.0
v32.13.0
v32.14.0
v32.15.0
v32.16.0
v32.17.0
v32.2.0
v32.3.0
v32.4.0
v32.5.0
v32.6.0
v32.7.0
v32.8.0
v32.9.0
v33.*
v33.0.0
v33.1.0
v33.10.0
v33.11.0
v33.12.0
v33.2.0
v33.3.0
v33.4.0
v33.5.0
v33.6.0
v33.7.0
v33.8.0
v33.9.0
v34.*
v34.0.0
v34.1.0
v34.2.0
v35.*
v35.0.0
v35.1.0
v35.2.0
v35.3.0
v35.4.0
v35.5.0
v36.*
v36.0.0
v37.*
v37.0.0
v37.1.0
v37.2.0
v37.3.0
v37.4.0
v37.5.0
v38.*
v38.0.0
v38.1.0
v39.*
v39.0.0
v39.1.0
v39.2.0
v39.3.0
v39.4.0
v39.5.0
v39.6.0
v39.7.0
v39.8.0
v4.*
v4.0.0
v4.1.0
v4.2.0
v4.3.0
v4.4.0
v4.5.0
v40.*
v40.0.0
v40.1.0
v40.10.0
v40.11.0
v40.12.0
v40.13.0
v40.14.0
v40.15.0
v40.16.0
v40.17.0
v40.18.0
v40.19.0
v40.2.0
v40.3.0
v40.4.0
v40.5.0
v40.6.0
v40.7.0
v40.8.0
v40.9.0
v41.*
v41.0.0
v41.1.0
v41.2.0
v41.3.0
v42.*
v42.0.0
v42.1.0
v42.2.0
v42.3.0
v42.4.0
v42.5.0
v42.6.0
v43.*
v43.0.0
v43.1.0
v43.2.0
v43.3.0
v43.4.0
v43.5.0
v43.6.0
v44.*
v44.0.0
v44.1.0
v44.10.0
v44.11.0
v44.2.0
v44.3.0
v44.4.0
v44.5.0
v44.6.0
v44.7.0
v44.8.0
v44.9.0
v45.*
v45.0.0
v45.1.0
v46.*
v46.0.0
v46.1.0
v46.2.0
v46.3.0
v46.4.0
v46.5.0
v46.6.0
v46.7.0
v47.*
v47.0.0
v47.1.0
v48.*
v48.0.0
v48.1.0
v48.10.0
v48.11.0
v48.2.0
v48.3.0
v48.4.0
v48.5.0
v48.6.0
v48.7.0
v48.8.0
v48.9.0
v49.*
v49.0.0
v49.1.0
v49.2.0
v49.4.0
v49.5.0
v49.6.0
v5.*
v5.0.0
v5.1.0
v5.3.0
v5.4.0
v5.5.0
v50.*
v50.0.0
v50.1.0
v50.2.0
v50.3.0
v50.4.0
v51.*
v51.0.0
v51.1.0
v51.10.0
v51.11.0
v51.2.0
v51.3.0
v51.4.0
v51.5.0
v51.6.0
v51.7.0
v51.8.0
v51.9.0
v52.*
v52.0.0
v53.*
v53.0.0
v53.1.0
v53.2.0
v53.3.0
v53.4.0
v53.5.0
v53.6.0
v53.7.0
v53.8.0
v54.*
v54.0.0
v54.1.0
v54.10.0
v54.11.0
v54.12.0
v54.13.0
v54.14.0
v54.2.0
v54.3.0
v54.4.0
v54.5.0
v54.6.0
v54.7.0
v54.8.0
v54.9.0
v6.*
v6.0.0
v6.1.0
v6.10.0
v6.2.0
v6.3.0
v6.4.0
v6.5.0
v6.6.0
v6.7.0
v6.8.0
v6.9.0
v7.*
v7.0.0
v7.1.0
v7.2.0
v7.3.0
v7.4.0
v7.5.0
v7.6.0
v7.8.0
v7.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22726.json"

Git / github.com/cloudfoundry/routing-release

Affected ranges

Type
GIT
Repo
https://github.com/cloudfoundry/routing-release
Events
Database specific
{
    "cpe": "cpe:2.3:a:cloudfoundry:routing_release:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.118.0"
        },
        {
            "fixed": "0.372.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

0.*
0.118.0
0.121.0
0.123.0
0.134.0
0.136.0
0.137.0
0.142.0
0.147.0
0.154.0
0.157.0
0.160.0
0.162.0
0.166.0
0.171.0
0.172.0
0.173.0
0.174.0
0.175.0
0.176.0
0.178.0
0.179.0
0.180.0
0.183.0
0.184.0
0.186.0
0.187.0
0.192.0
0.194.0
0.195.0
0.196.0
0.199.0
0.200.0
0.201.0
0.202.0
0.203.0
0.204.0
0.205.0
0.206.0
0.207.0
0.208.0
0.209.0
0.210.0
0.211.0
0.212.0
0.213.0
0.214.0
0.215.0
0.216.0
0.218.0
0.219.0
0.220.0
0.221.0
0.222.0
0.223.0
0.224.0
0.225.0
0.226.0
0.227.0
0.228.0
0.229.0
0.230.0
0.231.0
0.232.0
0.233.0
0.234.0
0.235.0
0.236.0
0.237.0
0.238.0
0.239.0
0.241.0
0.242.0
0.243.0
0.244.0
0.245.0
0.246.0
0.247.0
0.248.0
0.249.0
0.250.0
0.251.0
0.252.0
0.253.0
0.254.0
0.255.0
0.256.0
0.257.0
0.258.0
v0.*
v0.0.0
v0.236.0
v0.237.0
v0.238.0
v0.239.0
v0.240.0
v0.241.0
v0.242.0
v0.243.0
v0.244.0
v0.245.0
v0.246.0
v0.247.0
v0.248.0
v0.249.0
v0.250.0
v0.251.0
v0.252.0
v0.253.0
v0.254.0
v0.255.0
v0.256.0
v0.257.0
v0.258.0
v0.259.0
v0.260.0
v0.261.0
v0.262.0
v0.263.0
v0.264.0
v0.265.1
v0.268.0
v0.269.0
v0.270.0
v0.271.0
v0.272.0
v0.273.0
v0.275.0
v0.276.0
v0.277.0
v0.278.0
v0.279.0
v0.280.0
v0.282.0
v0.283.0
v0.285.0
v0.286.0
v0.287.0
v0.288.0
v0.289.0
v0.290.0
v0.291.0
v0.292.0
v0.294.0
v0.295.0
v0.297.0
v0.298.0
v0.299.0
v0.300.0
v0.301.0
v0.302.0
v0.304.0
v0.306.0
v0.307.0
v0.308.0
v0.309.0
v0.310.0
v0.311.0
v0.314.0
v0.316.0
v0.317.0
v0.318.0
v0.319.0
v0.322.0
v0.323.0
v0.324.0
v0.325.0
v0.326.0
v0.327.0
v0.330.0
v0.334.0
v0.335.0
v0.336.0
v0.337.0
v0.340.0
v0.341.0
v0.343.0
v0.345.0
v0.346.0
v0.348.0
v0.349.0
v0.351.0
v0.353.0
v0.354.0
v0.356.0
v0.357.0
v0.358.0
v0.360.0
v0.361.0
v0.362.0
v0.363.0
v0.364.0
v0.367.0
v0.368.0
v0.370.0
v0.371.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22726.json"