A vulnerability (CVE-2026-22726) has been identified in the route service functionality that could allow an attacker to bypass Application Security Group (ASG) firewall rules. This could enable unauthorized HTTP traffic to be sent to internal systems. 

The issue stems from insufficient validation of the target URL or IP address provided when configuring a route service. A user can configure a route service with a target URL that points to internal systems. By exploiting this, a malicious actor could route HTTP requests through Gorouter to systems within the internal network, effectively bypassing the security controls provided by ASG firewall rules.

This vulnerability affects all users who are utilizing route services in their deployment. Route services are turned on in EAR via the “Route services” property in the “Networking” tab.

The following product lines and versions are affected:

• Elastic Application Runtime (EAR) versions: Prior to 6.0.26, 10.2.9, and 10.3.6
• Tanzu Isolation Segment (IST) versions: Prior to 6.0.26, 10.2.9, and 10.3.6

To remediate this vulnerability, customers must (1) upgrade their affected product installations to a fixed version (2) set the Route services egress CIDR blocklist property in the “Networking” tab.

Fixed Versions:

• EAR: 6.0.26, 10.2.9, 10.3.6
• IST: 6.0.26, 10.2.9, 10.3.6

On the updated versions, customers must use the new "Route services egress CIDR blocklist" property, located in the "Networking" tab, to explicitly prohibit route services from routing to internal systems. We suggest setting this property to “10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16”.