PT-2026-56056 · Cilium · Cilium
Ysksuzuki
·
Published
2026-07-06
·
Updated
2026-07-07
·
CVE-2026-53935
CVSS v3.1
6.9
Medium
| Vector | AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Cilium versions 1.19.0 through 1.19.3
Cilium versions 1.18.2 through 1.18.9
Cilium versions prior to 1.17.16
Description
Users capable of creating CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs using the
addressMatcher parameter. This allows for the hijacking of traffic to Services in any namespace, which bypasses the namespace-scoping guarantees typically enforced by the serviceMatcher. Furthermore, the deletion of such a policy can corrupt the internal service state of Cilium, potentially causing service translation to fail completely for the affected Service.Recommendations
Update to version 1.19.4
Update to version 1.18.10
Update to version 1.17.16
Fix
Open Redirect
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cilium