GHSA-3FCV-JVFP-M4Q9

Vulnerability from github – Published: 2026-07-06 17:03 – Updated: 2026-07-06 17:03
VLAI
Summary
Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access
Details

Impact

When Cilium L7 functionality is enabled on a cluster, the Envoy instance supporting this functionality creates a world-accessible socket on cluster nodes. A local attacker would be able to access Envoy admin endpoints. Depending on deployment configuration, this can expose sensitive information or allow disruptive administrative operations, such as:

  • Exposing TLS secrets
  • Disrupting traffic in the cluster
  • Terminating the Envoy process

This issue affects both the embedded and standalone Envoy deployment models.

Patches

This issue affects:

  • Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
  • Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
  • All versions of Cilium prior to v1.17.14

This issue has been patched in https://github.com/cilium/cilium/pull/44512, included in:

  • Cilium v1.19.2
  • Cilium v1.18.8
  • Cilium v1.17.14

Workarounds

There is no known workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to moemen for reporting the issue and 0xch4z for their work on triaging and remediating this issue.

For more information

If there are any questions or comments about this advisory, please reach out on [Slack (https://docs.cilium.io/en/latest/community/community/).

If anyone thinks they have found a vulnerability affecting Cilium, it is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and the report will be treated as a top priority.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.19.0"
            },
            {
              "fixed": "1.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.18.0"
            },
            {
              "fixed": "1.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T17:03:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nWhen Cilium L7 functionality is enabled on a cluster, the Envoy instance supporting this functionality creates a world-accessible socket on cluster nodes. A local attacker would be able to access Envoy admin endpoints. Depending on deployment configuration, this can expose sensitive information or allow disruptive administrative operations, such as:\n\n- Exposing TLS secrets\n- Disrupting traffic in the cluster\n- Terminating the Envoy process  \n\nThis issue affects both the embedded and standalone Envoy deployment models.\n\n### Patches\n\nThis issue affects:\n\n- Cilium v1.19 between v1.19.0 and v1.19.1 inclusive\n- Cilium v1.18 between v1.18.0 and v1.18.7 inclusive\n- All versions of Cilium prior to v1.17.14\n\nThis issue has been patched in https://github.com/cilium/cilium/pull/44512, included in:\n\n- Cilium v1.19.2\n- Cilium v1.18.8\n- Cilium v1.17.14\n\n### Workarounds\n\nThere is no known workaround to this issue.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to [moemen](https://github.com/moemen) for reporting the issue and [0xch4z](https://github.com/0xch4z) for their work on triaging and remediating this issue.\n\n### For more information\n\nIf there are any questions or comments about this advisory, please reach out on [Slack (https://docs.cilium.io/en/latest/community/community/).\n\nIf anyone thinks they have found a vulnerability affecting Cilium, it is strongly encouraged to report it to the security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and the report will be treated as a top priority.",
  "id": "GHSA-3fcv-jvfp-m4q9",
  "modified": "2026-07-06T17:03:20Z",
  "published": "2026-07-06T17:03:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-3fcv-jvfp-m4q9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/pull/44512"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cilium/cilium"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…