CVE-2026-33726

EPSS 0.01%
Veröffentlicht 27.03.2026 00:23:21
Zuletzt bearbeitet 01.04.2026 15:53:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cilium ≫ Cilium Version < 1.17.14

Cilium ≫ Cilium Version >= 1.18.0 < 1.18.8

Cilium ≫ Cilium Version >= 1.19.0 < 1.19.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.005

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv

Patch

Vendor Advisory

https://github.com/cilium/cilium/pull/44693

Patch

Issue Tracking

https://docs.cilium.io/en/stable/network/concepts/routing/#routing

Technical Description

https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy

Technical Description

https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management

Technical Description