ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-1784 — HAProxy Configuration Injection via OpenShift Route spec.path

A brief summary of CVE-2026-1784, a high severity configuration injection vulnerability in Red Hat OpenShift Routes that allows users with Route creation privileges to inject arbitrary HAProxy configuration directives through the spec.path field.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-02

Quick Look: CVE-2026-1784 — HAProxy Configuration Injection via OpenShift Route spec.path
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Insufficient input validation in the OpenShift Route API now allows any user with Route creation privileges to inject arbitrary HAProxy configuration directives, giving them indirect control over the ingress layer that governs all external traffic to OpenShift applications. With a CVSS score of 8.8 and the low barrier to exploitation (Route creation is commonly delegated to developers in multi-tenant clusters), CVE-2026-1784 represents a meaningful risk for organizations running Red Hat OpenShift with HAProxy ingress.

Technical Information

How OpenShift Routes Become HAProxy Configuration

In OpenShift, a Route object is the primary mechanism for exposing services to external traffic. The OpenShift router, powered by HAProxy, watches for Route API objects and dynamically regenerates the HAProxy configuration file at /var/lib/haproxy/conf/haproxy.config. The spec.path field within a Route document specifies a URL path for path based routing, allowing multiple services to share a single hostname with traffic differentiated by path prefix.

The Root Cause: CWE-15

CVE-2026-1784 is classified under CWE-15 (External Control of System or Configuration Setting). MITRE defines this weakness as one where "allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways." The core issue is that the validation checks performed on the spec.path field were insufficient. The contents of this field, which is externally controlled by whoever creates or modifies the Route, flow into the HAProxy configuration generation process without adequate sanitization. This means a carefully crafted spec.path value can break out of its intended context within the HAProxy configuration and inject arbitrary directives.

Attack Flow

The exploitation path is straightforward for anyone with Route creation privileges:

  1. Craft a malicious Route: The attacker creates or modifies an OpenShift Route object, embedding HAProxy configuration syntax within the spec.path field. Because spec.path is a legitimate field that developers routinely set, this action does not require any special permissions beyond standard Route management.

  2. Bypass validation: The insufficient checks on spec.path fail to detect or strip the embedded HAProxy directives. The malicious payload passes through to the configuration generation pipeline.

  3. HAProxy configuration rewrite: The OpenShift router regenerates /var/lib/haproxy/conf/haproxy.config with the injected directives now active. HAProxy reloads with the modified configuration.

  4. Impact realization: Depending on the injected directives, the attacker could redirect traffic to attacker controlled endpoints, expose internal services that were not intended to be publicly accessible, or cause denial of service through misconfigured routing rules.

What Makes This Particularly Concerning

The tension at the heart of this vulnerability is between developer self-service and infrastructure security. OpenShift Routes are designed to give application teams autonomy over how their services are exposed. The spec.path field is a core routing attribute that developers legitimately need to modify. This makes it difficult to restrict without impacting developer productivity, and it means the vulnerable input surface is one that is frequently and routinely exercised in normal operations.

The CVSS 8.8 score reflects a network accessible attack that can compromise both integrity and availability of the routing layer. In a multi-tenant OpenShift cluster, a single compromised or malicious namespace could potentially affect routing for all tenants sharing the same HAProxy instance.

Information Gaps

Several important details remain unavailable as of the disclosure date:

DetailStatus
CVSS v3.x vector stringNot yet assigned by NVD
Specific injectable HAProxy directivesNot documented publicly
Affected OpenShift versionsNot confirmed in any public advisory
Proof of concept exploit codeNot found in public sources
Bugzilla bug 2436075 detailsAccess restricted

Affected Systems and Versions

The vulnerability affects Red Hat OpenShift Container Platform deployments that use the default HAProxy based router for ingress. Specific affected version numbers have not been confirmed in any public advisory as of 2026-06-02. The Bugzilla entry (bug 2436075) that would typically contain version details remains access restricted.

An adjacent advisory, RHSA-2026:4434, addresses security updates for OpenShift Container Platform 4.19.26, but its specific relationship to CVE-2026-1784 has not been confirmed. Organizations should not assume that upgrading to 4.19.26 alone resolves this vulnerability without explicit confirmation from Red Hat.

Any OpenShift deployment where users have Route creation or modification privileges should be considered potentially affected until Red Hat publishes definitive version guidance.

Vendor Security History

Red Hat self-reported this vulnerability through its PSIRT ([email protected]), which indicates responsible internal discovery. Red Hat follows a defined vulnerability management lifecycle and publishes annual Product Security Risk Reports. The 2025 edition includes vulnerability response statistics and year over year comparisons.

Notably, Red Hat's own 2026 State of Cloud Native Security Report found that 97% of organisations experienced security incidents in the prior year, with misconfiguration and weak governance identified as primary drivers. CVE-2026-1784 aligns directly with this finding: it is a misconfiguration class vulnerability where externally supplied input controls system configuration without adequate validation.

The access restricted Bugzilla entry is consistent with Red Hat's standard practice for vulnerabilities under active remediation, though it does limit the transparency available to the broader security community during the critical early disclosure period.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization