Introduction
Insufficient input validation in the OpenShift Route API now allows any user with Route creation privileges to inject arbitrary HAProxy configuration directives, giving them indirect control over the ingress layer that governs all external traffic to OpenShift applications. With a CVSS score of 8.8 and the low barrier to exploitation (Route creation is commonly delegated to developers in multi-tenant clusters), CVE-2026-1784 represents a meaningful risk for organizations running Red Hat OpenShift with HAProxy ingress.
Technical Information
How OpenShift Routes Become HAProxy Configuration
In OpenShift, a Route object is the primary mechanism for exposing services to external traffic. The OpenShift router, powered by HAProxy, watches for Route API objects and dynamically regenerates the HAProxy configuration file at /var/lib/haproxy/conf/haproxy.config. The spec.path field within a Route document specifies a URL path for path based routing, allowing multiple services to share a single hostname with traffic differentiated by path prefix.
The Root Cause: CWE-15
CVE-2026-1784 is classified under CWE-15 (External Control of System or Configuration Setting). MITRE defines this weakness as one where "allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways." The core issue is that the validation checks performed on the spec.path field were insufficient. The contents of this field, which is externally controlled by whoever creates or modifies the Route, flow into the HAProxy configuration generation process without adequate sanitization. This means a carefully crafted spec.path value can break out of its intended context within the HAProxy configuration and inject arbitrary directives.
Attack Flow
The exploitation path is straightforward for anyone with Route creation privileges:
-
Craft a malicious Route: The attacker creates or modifies an OpenShift Route object, embedding HAProxy configuration syntax within the
spec.pathfield. Becausespec.pathis a legitimate field that developers routinely set, this action does not require any special permissions beyond standard Route management. -
Bypass validation: The insufficient checks on
spec.pathfail to detect or strip the embedded HAProxy directives. The malicious payload passes through to the configuration generation pipeline. -
HAProxy configuration rewrite: The OpenShift router regenerates
/var/lib/haproxy/conf/haproxy.configwith the injected directives now active. HAProxy reloads with the modified configuration. -
Impact realization: Depending on the injected directives, the attacker could redirect traffic to attacker controlled endpoints, expose internal services that were not intended to be publicly accessible, or cause denial of service through misconfigured routing rules.
What Makes This Particularly Concerning
The tension at the heart of this vulnerability is between developer self-service and infrastructure security. OpenShift Routes are designed to give application teams autonomy over how their services are exposed. The spec.path field is a core routing attribute that developers legitimately need to modify. This makes it difficult to restrict without impacting developer productivity, and it means the vulnerable input surface is one that is frequently and routinely exercised in normal operations.
The CVSS 8.8 score reflects a network accessible attack that can compromise both integrity and availability of the routing layer. In a multi-tenant OpenShift cluster, a single compromised or malicious namespace could potentially affect routing for all tenants sharing the same HAProxy instance.
Information Gaps
Several important details remain unavailable as of the disclosure date:
| Detail | Status |
|---|---|
| CVSS v3.x vector string | Not yet assigned by NVD |
| Specific injectable HAProxy directives | Not documented publicly |
| Affected OpenShift versions | Not confirmed in any public advisory |
| Proof of concept exploit code | Not found in public sources |
| Bugzilla bug 2436075 details | Access restricted |
Affected Systems and Versions
The vulnerability affects Red Hat OpenShift Container Platform deployments that use the default HAProxy based router for ingress. Specific affected version numbers have not been confirmed in any public advisory as of 2026-06-02. The Bugzilla entry (bug 2436075) that would typically contain version details remains access restricted.
An adjacent advisory, RHSA-2026:4434, addresses security updates for OpenShift Container Platform 4.19.26, but its specific relationship to CVE-2026-1784 has not been confirmed. Organizations should not assume that upgrading to 4.19.26 alone resolves this vulnerability without explicit confirmation from Red Hat.
Any OpenShift deployment where users have Route creation or modification privileges should be considered potentially affected until Red Hat publishes definitive version guidance.
Vendor Security History
Red Hat self-reported this vulnerability through its PSIRT ([email protected]), which indicates responsible internal discovery. Red Hat follows a defined vulnerability management lifecycle and publishes annual Product Security Risk Reports. The 2025 edition includes vulnerability response statistics and year over year comparisons.
Notably, Red Hat's own 2026 State of Cloud Native Security Report found that 97% of organisations experienced security incidents in the prior year, with misconfiguration and weak governance identified as primary drivers. CVE-2026-1784 aligns directly with this finding: it is a misconfiguration class vulnerability where externally supplied input controls system configuration without adequate validation.
The access restricted Bugzilla entry is consistent with Red Hat's standard practice for vulnerabilities under active remediation, though it does limit the transparency available to the broader security community during the critical early disclosure period.
References
- NVD Entry for CVE-2026-1784
- Red Hat Security Advisory for CVE-2026-1784
- Red Hat Bugzilla Bug 2436075
- CWE-15: External Control of System or Configuration Setting
- CWE-642: External Control of Critical State Data
- OpenShift Container Platform 4.15: Configuring Routes
- OpenShift Container Platform 4.10: Configuring Routes
- Red Hat Vulnerability Management and Lifecycle
- Red Hat Security Updates and Notifications
- RHSA-2026:4434 Security Advisory
- RHSA-2026:4435 Security Advisory
- Red Hat Product Security Risk Report 2025
- Red Hat 2026 Cloud Native Security Report
- CISA Known Exploited Vulnerabilities Catalog
- Networking Concepts and Routing through HAProxy in OpenShift



