Severity by source
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
Socket is local and world-accessible so AV:L/AC:L/PR:N; Envoy admin control affects other cluster workloads' secrets and traffic giving S:C, C:H and A:H.
Primary rating from Vendor (https://github.com/cilium/cilium).
CVSS VectorVendor: https://github.com/cilium/cilium
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Impact
When Cilium L7 functionality is enabled on a cluster, the Envoy instance supporting this functionality creates a world-accessible socket on cluster nodes. A local attacker would be able to access Envoy admin endpoints. Depending on deployment configuration, this can expose sensitive information or allow disruptive administrative operations, such as:
- Exposing TLS secrets
- Disrupting traffic in the cluster
- Terminating the Envoy process
This issue affects both the embedded and standalone Envoy deployment models.
Patches
This issue affects:
- Cilium v1.19 between v1.19.0 and v1.19.1 inclusive
- Cilium v1.18 between v1.18.0 and v1.18.7 inclusive
- All versions of Cilium prior to v1.17.14
This issue has been patched in https://github.com/cilium/cilium/pull/44512, included in:
- Cilium v1.19.2
- Cilium v1.18.8
- Cilium v1.17.14
Workarounds
There is no known workaround to this issue.
Acknowledgements
The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to moemen for reporting the issue and 0xch4z for their work on triaging and remediating this issue.
For more information
If there are any questions or comments about this advisory, please reach out on [Slack (https://docs.cilium.io/en/latest/community/community/).
If anyone thinks they have found a vulnerability affecting Cilium, it is strongly encouraged to report it to the security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and the report will be treated as a top priority.
AnalysisAI
Missing authorization on Cilium's Envoy admin socket lets any local user on a cluster node reach privileged Envoy admin endpoints when L7 (Layer 7) network policy functionality is enabled. Affecting Cilium 1.17.x before 1.17.14, 1.18.0-1.18.7, and 1.19.0-1.19.1 in both embedded and standalone Envoy models, it carries a CVSS 9.2 (scope-changing) rating and allows dumping TLS secrets, disrupting cluster traffic, or killing the Envoy proxy. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) Cilium L7 functionality (Layer 7 network policy / Envoy proxy) to be enabled on the cluster - this is the specific feature that creates the world-accessible Envoy admin socket; and (2) local access to a cluster node, i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H yields 9.2 primarily because of the scope change (S:C): a foothold on one node's local socket lets an attacker affect the wider cluster (other workloads' TLS secrets and traffic). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains local code execution on a cluster node - for example via a compromised low-privilege pod or a co-tenant workload - connects to Cilium's world-accessible Envoy admin socket. They query the admin endpoints to dump TLS certificates and keys used for L7 traffic, then issue an admin command to drain listeners or terminate the Envoy process, degrading or cutting cluster traffic. … |
| Remediation | Vendor-released patch: upgrade to Cilium 1.19.2, 1.18.8, or 1.17.14, which contain the fix from https://github.com/cilium/cilium/pull/44512 (advisory GHSA-3fcv-jvfp-m4q9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Cilium clusters to identify affected versions and L7 policy configurations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44772
GHSA-3fcv-jvfp-m4q9