Julianwiedmann

#43795of 53,634
6.1Total CVSS
Vulnerabilities · 1
PT-2026-20966
6.1
2026-02-19
Cilium · Cilium · CVE-2026-26963
**Name of the Vulnerable Software and Affected Versions** Cilium versions 1.18.0 through 1.18.5 **Description** Cilium, a networking, observability, and security solution utilizing an eBPF-based dataplane, is affected by an issue where traffic from Pods on other nodes may be incorrectly permitted. This occurs when Native Routing, WireGuard, and Node Encryption are simultaneously enabled. The issue stems from incorrect policy enforcement when these configurations are active. A fix was introduced in version 1.18.6. A workaround involves adding IP rules and routes to ensure all ingress traffic from the `cilium wg0` interface is routed to `cilium host` for policy enforcement. This ensures host-level security policies are applied to decrypted WireGuard traffic. The workaround involves executing the following commands on each CiliumNode: ```bash # IPv4 Traffic ip rule add iif cilium wg0 table 300 ip route add default dev cilium host table 300 # IPv6 Traffic ip -6 rule add iif cilium wg0 table 300 ip -6 route add default dev cilium net table 300 ``` **Recommendations** Cilium versions 1.18.0 through 1.18.5 should be updated to version 1.18.6 or later. As a temporary workaround, add the following IP rules and routes on each CiliumNode: ```bash # IPv4 Traffic ip rule add iif cilium wg0 table 300 ip route add default dev cilium host table 300 # IPv6 Traffic ip -6 rule add iif cilium wg0 table 300 ip -6 route add default dev cilium net table 300 ```