Cilium CVE-2026-41520
HIGHSeverity by source
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled.
Users of WireGuard Transparent Encryption are affected. The sensitive data is the WireGuard private key (cilium_wg0.key) used for node-to-node encrypted communication
cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster. It is also invoked when gathering sysdumps using the Cilium CLI's cilium sysdump command.
Patches
This issue affects:
- Cilium v1.19 between v1.19.0 and v1.19.2 inclusive
- Cilium v1.18 between v1.18.0 and v1.18.8 inclusive
- All versions of Cilium prior to v1.17.15
This issue has been patched in:
- Cilium v1.19.3
- Cilium v1.18.9
- Cilium v1.17.15
Workarounds
There is no workaround to this issue.
Users who have previously shared bugtool or sysdump archives from WireGuard-enabled nodes should rotate the WireGuard keys on the affected nodes. This can be done by deleting the key file and restarting the Cilium agent, which will generate a new key pair.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Cillium extends special thanks to @kodareef5 for reporting the issue and @tklauser for their work on triaging and remediating this issue.
For more information
If there are any questions or comments about this advisory, please reach out on Slack.
Cilium strongly encourages the reporting of suspected vulnerabilities to the security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and the report will be treated as top priority.
AnalysisAI
WireGuard private keys leak through Cilium debugging tools in deployments using transparent encryption. Cilium's cilium-bugtool and cilium sysdump command expose the node-to-node WireGuard encryption private key (cilium_wg0.key) in output archives. Attackers with high-privilege local access to these diagnostic outputs can decrypt past and future inter-node traffic. Affects all Cilium versions prior to v1.17.15, v1.18.0-v1.18.8, and v1.19.0-v1.19.2. Patches released in v1.17.15, v1.18.9, and v1.19.3. No public exploit identified at time of analysis, but exploitation requires only access to previously shared bugtool/sysdump archives.
Technical ContextAI
Cilium is a Kubernetes networking, observability, and security solution based on eBPF. The affected component is cilium-bugtool, a diagnostic utility that collects system state for troubleshooting. When Cilium's WireGuard Transparent Encryption feature is enabled, nodes establish encrypted tunnels using WireGuard protocol with public/private key pairs stored locally. The vulnerability (CWE-200: Exposure of Sensitive Information) occurs because cilium-bugtool's file collection logic inadvertently includes the plaintext WireGuard private key file (cilium_wg0.key) in its output archive. This is a classic case of debugging tools over-collecting sensitive data. The issue manifests both when cilium-bugtool is invoked directly and when using the Cilium CLI's 'cilium sysdump' command, which internally calls cilium-bugtool. The leaked private key enables decryption of all WireGuard-encrypted traffic to/from the affected node, compromising the confidentiality of node-to-node communications that rely on this encryption layer.
RemediationAI
Upgrade to patched versions: Cilium v1.19.3, v1.18.9, or v1.17.15 depending on your current major version. Release artifacts available at https://github.com/cilium/cilium/releases/tag/v1.19.3, /v1.18.9, and /v1.17.15. Patching prevents future key exposure but does not invalidate previously leaked keys. Organizations that previously shared bugtool or sysdump archives from WireGuard-enabled nodes must rotate WireGuard keys on affected nodes. Key rotation procedure: delete the cilium_wg0.key file from each affected node and restart the Cilium agent, which will automatically generate a new key pair. Note that key rotation causes temporary disruption to encrypted node-to-node communication during the restart window. No workaround exists to prevent key leakage in unpatched versions - upgrade is mandatory. Review all previously shared diagnostic archives to identify potential exposure scope. Contact security@cilium.io if assistance is needed determining exposure or coordinating key rotation across large clusters.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gj49-89wh-h4gj