CVE-2026-33726

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.17.14 Cilium versions 1.18.0 through 1.18.7 Cilium versions 1.19.0 through 1.19.1

Description Cilium is a networking, observability, and security solution utilizing an eBPF-based dataplane. Ingress Network Policies are not enforced for traffic originating from pods destined for L7 Services (Envoy, GAMMA) with a local backend residing on the same node when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is enabled automatically in deployments employing cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, excluding AKS BYOCNI), and certain GKE deployments (gke.enabled). This issue primarily impacts Amazon EKS with Cilium ENI mode. The affected API endpoints are L7 Services such as /api/v1/login and /users/{id}. The vulnerable parameter is the destination IP address of the traffic.

Recommendations Versions prior to 1.17.14: Upgrade to version 1.17.14 or later. Versions 1.18.0 through 1.18.7: Upgrade to version 1.18.8 or later. Versions 1.19.0 through 1.19.1: Upgrade to version 1.19.2 or later.