Kubernetes
CVE-2026-33726
MEDIUM
Severity by source
AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled.
Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment.
Patches
This issue was fixed by #44693.
This issue affects:
- Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
- Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
- All versions of Cilium prior to v1.17.13
This issue is fixed in:
- Cilium v1.19.2
- Cilium v1.18.8
- Cilium v1.17.14
Workarounds
Disclaimer: There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.
Acknowledgements
The Cilium community has worked together with members of the Northflank and Isovalent teams to prepare these mitigations. Cilium thanks @sudeephb and @Champ-Goblem for reporting the issue and to @smagnani96 and @julianwiedmann for helping with the resolution.
For more information
Anyone who believes a vulnerability affecting Cilium has been found is strongly encouraged to report it to the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and any such report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.
AnalysisAI
Cilium Network Policy enforcement is bypassed for traffic from pods to L7 Services with local backends on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled, allowing authenticated local attackers to circumvent ingress network policies and access restricted services. This affects Cilium v1.19.0-v1.19.1, v1.18.0-v1.18.7, and all versions prior to v1.17.13, with the most common vulnerable deployment being Amazon EKS with Cilium ENI mode. Vendor-released patches are available (v1.19.2, v1.18.8, v1.17.14), and no public exploit code has been identified at the time of analysis.
Technical ContextAI
Cilium is a container networking and security platform for Kubernetes that uses eBPF (extended Berkeley Packet Filter) and BPF Host Routing to enforce network policies at the kernel level (CPE: pkg:go/github.com_cilium_cilium). The vulnerability resides in the interaction between Per-Endpoint Routing (a feature that creates individual routes per service endpoint, commonly auto-enabled by cloud IPAM providers including AWS ENI, AlibabaCloud ENI, Azure IPAM, and some GKE deployments) and the absence of BPF Host Routing (which provides optimized in-kernel packet forwarding). When Per-Endpoint Routing is active without BPF Host Routing, the eBPF-based ingress Network Policy enforcement mechanism fails to properly intercept and validate traffic destined for L7 Services (Envoy-based or GAMMA protocol services) whose backends reside on the same node as the source pod. This is fundamentally a policy enforcement bypass rooted in CWE-284 (Improper Access Control), where the kernel-level policy checks are not executed for a specific traffic pattern due to routing configuration interaction.
RemediationAI
Upgrade Cilium to v1.19.2, v1.18.8, or v1.17.14 or later, as these versions include the fix from PR #44693. No officially verified comprehensive workaround exists; the only potential mitigation is to disable per-endpoint routes via configuration (e.g., set kubeProxyReplacement to 'strict' or adjust routing.podCIDR settings), though this approach may cause connection disruptions and conflicts in cloud provider deployments and is not recommended as a long-term solution. For Amazon EKS deployments using Cilium ENI, prioritize patching to a fixed version immediately given that EKS with Cilium ENI is identified as the most common vulnerable configuration. Consult https://docs.cilium.io/en/stable/network/concepts/routing/#routing and the Cilium upgrade documentation for version-specific migration guidance.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today