Cloud Foundry Route Services can sidestep app egress controls

2 min readPublished 30 Apr 2026Updated 01 May 2026Source: CVEProject (cvelistV5)

CVE-2026-22726 News Cloud Security Platform Security

TL;DR - CVE-2026-22726: a developer with Route Service configuration access can steer application traffic to internal HTTP destinations that sit outside the app's egress rules, reaching services accessible via Gorouter that the app was never supposed to touch. Upgrade routing_release to v0.372.0 or cf-deployment to v55.0.0.

What happened

Cloud Foundry is a PaaS that routes application traffic through Gorouter. Route Services let operators insert an HTTP component into the request path - useful for logging, auth proxies, and traffic shaping. CVE-2026-22726 turns that mechanism into an egress bypass.

A developer with sufficient access to configure a Route Service can point it at internal HTTP destinations that the application's egress rules would normally block. Gorouter will forward to them anyway. The practical result: internal services reachable from Gorouter networks become accessible to an application that has no business reaching them.

Component	Affected versions	Fix
`routing_release`	`v0.118.0` to `< v0.372.0`	`v0.372.0` or greater
`cf-deployment`	`v0.0.2` to `< v55.0.0`	`v55.0.0` or greater

Egress controls are often treated as a hard tenant boundary in shared platforms. When a routing-layer feature can steer traffic around them, a developer account becomes a credible pivot point into services your platform can reach - even if those services assume they're shielded by policy.

Who is impacted

Cloud Foundry foundations running affected versions of routing_release or cf-deployment.
Environments that rely on application egress rules for network segmentation, particularly where internal HTTP services are reachable from Gorouter networks.
The threat requires developer-level access to configure a Route Service - this isn't unauthenticated exploitation, but it's a realistic risk in any multi-tenant foundation with multiple development teams.

What to do now

Apply the patched releases. Vendor guidance:

"Routing release: affected from v0.118.0 through v0.371.0 (inclusive); upgrade to v0.372.0 or greater." "CF Deployment: affected from v0.0.2 through v54.14.0 (inclusive); upgrade to v55.0.0 or greater (includes routing_release v0.372.0)."
Inventory your foundation for both routing_release and cf-deployment versions and confirm you're outside the affected ranges.
Audit all configured Route Services. Identify any that could be repurposed to proxy traffic toward unintended internal destinations.
Review internal HTTP services reachable from Gorouter networks. Don't treat egress policy as those services' only access control - it clearly isn't sufficient on its own.