Platform
go
Component
github.com/cilium/cilium
Fixed in
1.17.15
1.18.1
1.19.1
1.17.14
1.17.14
1.17.14
CVE-2026-33726 describes a vulnerability in the Cilium L7 proxy that can lead to a bypass of Kubernetes NetworkPolicy enforcement for traffic originating and terminating on the same node. This can allow unauthorized communication between pods within the cluster. This issue affects github.com/cilium/cilium. The vulnerability is fixed in version 1.17.14.
CVE-2026-33726 in Cilium affects the L7 proxy, potentially allowing traffic within the same Kubernetes node to bypass defined NetworkPolicies. This means a pod could communicate with another pod on the same node without the authorization of a NetworkPolicy, compromising expected network isolation. The CVSS score is 5.4, indicating a medium risk. The vulnerability lies in how Cilium handles L7 traffic routing in same-node scenarios. If an attacker can exploit this flaw, they could access sensitive resources or disrupt services within the cluster, especially if NetworkPolicies are used to protect confidential data or restrict access to critical applications. The severity of the impact depends on the specific cluster configuration and the sensitivity of the data involved.
Exploitation of CVE-2026-33726 requires access to the Kubernetes cluster and an understanding of how Cilium's L7 proxy works. An attacker might attempt to send malicious traffic between pods on the same node to determine if NetworkPolicies are being applied correctly. The vulnerability manifests when the L7 proxy incorrectly applies NetworkPolicy rules for traffic originating from and destined to the same node. The complexity of exploitation depends on the cluster configuration and the attacker's ability to manipulate traffic. While no in-the-wild exploitation has been reported, the vulnerability poses a significant risk to Kubernetes clusters using Cilium and relying on NetworkPolicies for network isolation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33726 is to upgrade Cilium to version 1.17.14 or higher. This version contains a fix addressing the vulnerability in the L7 proxy. While applying the upgrade, it's recommended to review and reinforce existing NetworkPolicies to minimize potential impact. Consider using more restrictive NetworkPolicies, especially for pods handling sensitive data. Monitoring Cilium logs for anomalous behavior can help detect potential exploitation attempts. Furthermore, it's crucial to apply the principle of least privilege, ensuring pods only have access to the resources they need. The upgrade should be performed in a test environment before deploying to production to avoid service disruptions.
Update Cilium to version 1.17.14, 1.18.8, or 1.19.2, or a later version that contains the fix for this vulnerability. This ensures that Kubernetes network policies are correctly applied to L7 traffic.
Vulnerability analysis and critical alerts directly to your inbox.
Cilium is a high-performance networking layer for Kubernetes providing network connectivity, security, and observability.
NetworkPolicy defines how pods can communicate with each other, providing granular control over network traffic within a Kubernetes cluster.
Check the installed Cilium version. If it's prior to 1.17.14, it's vulnerable. Also, review your NetworkPolicies to ensure network isolation is as expected.
While you can't upgrade, review and reinforce your NetworkPolicies to mitigate the risk. Monitor Cilium logs.
Vulnerability scanning tools can help identify vulnerable Cilium versions and suggest mitigation steps.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.