HIGH 8.8

CVE-2026-1784: HAProxy Configuration Injection in Red Hat OpenShift Routes

A flaw in OpenShift's Route resource allows users with low-level cluster access to inject malicious HAProxy configuration through the spec.path field. Because validation of this field is insufficient, an attacker can bypass intended restrictions and alter how traffic is routed, potentially redirecting requests or exposing sensitive data. This is a local privilege escalation risk requiring existing cluster access but delivering high-impact consequences.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-15
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-07-02

NVD description (verbatim)

The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration.

21 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-1784 exploits insufficient input validation on the spec.path YAML stanza within OpenShift Route objects. Routes are a core mechanism in OpenShift for exposing pod services via HAProxy-backed ingress. The vulnerability permits authenticated cluster users to inject arbitrary HAProxy directives through the path specification, circumventing the path validation logic. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates local attack surface, low complexity, low privilege barrier, cross-boundary impact, and high confidentiality, integrity, and availability consequences. The CWE-15 classification (External Control of System or Configuration Setting) reflects the ability to manipulate critical infrastructure configuration.

Business impact

A successful exploit enables lateral movement and privilege escalation within an OpenShift cluster. An attacker with basic user credentials can redirect traffic intended for legitimate pods, intercept requests, or cause service disruption across the cluster. In multi-tenant environments, this permits cross-tenant interference. Organizations running production workloads on affected OpenShift versions face risk of data exfiltration, service downtime, and compliance violations if sensitive traffic is rerouted or inspected. The cross-cluster scope (S:C in CVSS) indicates impact extends beyond the immediate Route object.

Affected systems

Red Hat OpenShift Container Platform is the affected product. The vulnerability targets Route resources and HAProxy configuration injection, so any OpenShift deployment relying on Route-based ingress is potentially vulnerable. The local attack vector means an attacker must have valid cluster user credentials; public internet exposure is not a direct vector, but insider threats and compromised service accounts pose material risk.

Exploitability

Exploitation requires valid OpenShift cluster credentials and the ability to create or modify Route resources. No user interaction is needed, and the attack complexity is low—the vulnerable validation logic is straightforward to bypass with basic YAML manipulation. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active wild exploitation has not been widely reported, though the straightforward nature of the flaw means proof-of-concept development is feasible. Organizations should assume competent adversaries with cluster access will identify and exploit this quickly.

Remediation

Apply vendor-supplied patches for Red Hat OpenShift Container Platform that implement strict input validation on the spec.path field to prevent HAProxy configuration injection. Patches should enforce allowlisting or escaping of path values to ensure only legitimate routing syntax is accepted. Verify the fix against Red Hat's security advisory for the specific OpenShift version you are running. Until patched, restrict Route creation and modification permissions to trusted administrative roles only.

Patch guidance

Check Red Hat's OpenShift security advisories for patched versions addressing CVE-2026-1784. Patch availability and version numbers vary by your current OpenShift release line; refer to the official Red Hat advisory for guidance on your specific installation. Test patches in a non-production environment before deploying to production clusters. Prioritize patching in multi-tenant or internet-exposed OpenShift environments where tenant isolation is critical.

Detection guidance

Monitor for Route resource creation and modification events via OpenShift audit logs. Flag any Route spec.path values that contain HAProxy directives, escape sequences, or unusual syntax inconsistent with legitimate Kubernetes path patterns. Inspect HAProxy configuration snapshots on ingress controllers for unexpected rules or backend definitions that correlate with recent Route changes. Consider deploying admission controllers (ValidatingWebhook or MutatingWebhook) to enforce strict path validation as a compensating control while awaiting patches.

Why prioritize this

This vulnerability merits urgent attention due to its HIGH CVSS score (8.8), cross-cluster impact scope, and the critical nature of routing and traffic control in Kubernetes environments. The low privilege and complexity barriers mean any cluster user poses a threat. While KEV listing is absent, the simplicity of exploitation and the sensitive nature of Route configuration warrant immediate patching in production clusters, especially those handling sensitive workloads or multi-tenant scenarios.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of local attack vector, low barrier to entry (low privilege, low complexity), and severe impact across confidentiality, integrity, and availability. The cross-cluster scope amplifies risk by enabling attackers to affect multiple services or tenants simultaneously. The absence of a user interaction requirement and the fundamental role of Routes in OpenShift traffic control justify the high severity rating.

Frequently asked questions

Can this vulnerability be exploited from outside the cluster?

No. The attack vector is local (AV:L), meaning the attacker must have valid credentials and access to interact with the OpenShift API. Internet-facing exposure is not a direct attack path. However, compromised service accounts, insider threats, or weak credential management can enable malicious cluster users to exploit this flaw.

What is the difference between this and a standard injection attack?

This is a configuration injection vulnerability specific to HAProxy, the reverse proxy underlying OpenShift Routes. Rather than injecting code or SQL, the attacker injects HAProxy directives into the routing layer, allowing traffic manipulation. The impact is therefore control over how requests are routed and handled, not direct system command execution.

Do all OpenShift clusters require patching?

All clusters running affected versions of Red Hat OpenShift Container Platform are potentially vulnerable if Route resources are in use. Patching is essential for production clusters. If your OpenShift installation uses alternative ingress mechanisms and does not rely on Route objects, the attack surface is reduced, but Red Hat's advisory should be consulted for your specific version.

What should I do immediately if I cannot patch right away?

Restrict Route creation and modification permissions to a minimal set of trusted administrators using RBAC. Deploy a ValidatingWebhook admission controller to reject Route specs with suspicious path syntax. Monitor audit logs for Route modifications and review existing Routes for anomalous configuration. These controls provide temporary risk reduction while you prepare and test patches.

This analysis is based on publicly available vulnerability data as of the publication date. Patch version numbers and remediation steps must be verified against Red Hat's official security advisory for CVE-2026-1784. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and testing before applying patches in production environments. This page is for informational purposes and should not be construed as legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).