CVE-2026-41520

Name of the Vulnerable Software and Affected Versions Cilium versions prior to 1.17.15 Cilium versions 1.18.0 through 1.18.8 Cilium versions 1.19.0 through 1.19.2

Description When run against deployments with WireGuard encryption enabled, the output of the cilium-bugtool debugging tool can contain sensitive data. Specifically, the WireGuard private key cilium wg0.key, used for node-to-node encrypted communication, may be exposed. This tool is typically invoked manually or during the gathering of sysdumps via the cilium sysdump command.

Recommendations Update to version 1.17.15 for versions prior to 1.17.15. Update to version 1.18.9 for versions 1.18.0 through 1.18.8. Update to version 1.19.3 for versions 1.19.0 through 1.19.2. Rotate WireGuard keys on affected nodes by deleting the key file and restarting the Cilium agent to generate a new key pair if bugtool or sysdump archives have been shared.