CVE-2026-33726
CVE-2026-33726 is a medium-severity vulnerability in Cilium with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-284.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 0% (15th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-16503
- Weakness: CWE-284
- Affected product: Cilium
- Published:
- Last modified:
Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.
Frequently asked questions
- What is CVE-2026-33726?
- Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.
- How severe is CVE-2026-33726?
- CVE-2026-33726 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-33726 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-33726?
- CVE-2026-33726 affects Cilium. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-33726?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-33726 have an EU (EUVD) identifier?
- Yes. CVE-2026-33726 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-16503.
- When was CVE-2026-33726 published?
- CVE-2026-33726 was published on 2026-03-27 and last updated on 2026-06-17.
References
- https://docs.cilium.io/en/stable/network/concepts/routing/#routing
- https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy
- https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management
- https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing
- https://github.com/cilium/cilium/pull/44693
- https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv
Affected products (1)
- cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*
More vulnerabilities in Cilium
- CVE-2022-29178 — High (CVSS 8.8): Cilium is open source software for providing and securing network connectivity and loadbalancing between application…
- CVE-2024-28860 — High (CVSS 8.0): Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Users of IPsec transparent…
- CVE-2026-41520 — High (CVSS 7.9): Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15,…
- CVE-2024-37307 — High (CVSS 7.9): Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.13.0…
- CVE-2023-39347 — High (CVSS 7.6): Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability…
- CVE-2022-29179 — High (CVSS 7.5): Cilium is open source software for providing and securing network connectivity and loadbalancing between application…
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →