PT-2026-20966 · Cilium · Cilium
Julianwiedmann
·
Published
2026-02-19
·
Updated
2026-03-03
·
CVE-2026-26963
CVSS v3.1
6.1
Medium
| Vector | AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Cilium versions 1.18.0 through 1.18.5
Description
Cilium, a networking, observability, and security solution utilizing an eBPF-based dataplane, is affected by an issue where traffic from Pods on other nodes may be incorrectly permitted. This occurs when Native Routing, WireGuard, and Node Encryption are simultaneously enabled. The issue stems from incorrect policy enforcement when these configurations are active. A fix was introduced in version 1.18.6. A workaround involves adding IP rules and routes to ensure all ingress traffic from the
cilium wg0 interface is routed to cilium host for policy enforcement. This ensures host-level security policies are applied to decrypted WireGuard traffic. The workaround involves executing the following commands on each CiliumNode:# IPv4 Traffic
ip rule add iif cilium wg0 table 300
ip route add default dev cilium host table 300
# IPv6 Traffic
ip -6 rule add iif cilium wg0 table 300
ip -6 route add default dev cilium net table 300Recommendations
Cilium versions 1.18.0 through 1.18.5 should be updated to version 1.18.6 or later.
As a temporary workaround, add the following IP rules and routes on each CiliumNode:
# IPv4 Traffic
ip rule add iif cilium wg0 table 300
ip route add default dev cilium host table 300
# IPv6 Traffic
ip -6 rule add iif cilium wg0 table 300
ip -6 route add default dev cilium net table 300Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cilium