Bug 2436075 (CVE-2026-1784) - CVE-2026-1784 ose-cluster-ingress-operator: Remote Code Execution Through HAProxy Configuration Injection
Summary: CVE-2026-1784 ose-cluster-ingress-operator: Remote Code Execution Through HAP...
Keywords:
Status: NEW
Alias: CVE-2026-1784
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-02 21:16 UTC by OSIDB Bzimport
Modified: 2026-06-03 17:40 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-02 21:16:44 UTC 
The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. These Routes are managed by the openshift-ingress/router-default pods. One of the features of Routes is their ability to match a URI's path and replace it, this is expressed in the Route by the spec.path and metadata.annotations"[haproxy.router.openshift.io/rewrite-target YAML stanzas in a Route document which are in turn (after various checks and sanitization) used as parameters to a HAProxy configuration template. This configuration template is expressed in plaintext, thus the templating engine cannot automatically escape values to enforce the document structure, escaping has to be performed on the values before the template's evaluation.

By default the Developer role can create Routes to expose their services.

It was found that the checks performed on the Routes spec.path was insufficient and could allow a controlled injection of the HAProxy configuration.
Note You need to log in before you can comment on or make changes to this bug.