CVE-2026-26963
Improper Traffic Authorization in Cilium Node Encryption Module
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cilium | cilium | From 1.18.0 (inc) to 1.18.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26963 is a moderate severity vulnerability affecting Cilium versions 1.18.0 through 1.18.5 when Native Routing, WireGuard, and Node Encryption are enabled simultaneously.
The vulnerability occurs because ingress traffic arriving via the WireGuard interface (cilium_wg0) is not properly routed through the host network stack for host firewall policy enforcement after decryption.
As a result, traffic from Pods on other nodes can bypass intended host-level security controls, allowing unauthorized traffic to be permitted.
This issue was fixed in Cilium version 1.18.6 by ensuring that packets destined for the local host are redirected through the cilium_host interface and the appropriate BPF programs to enforce host firewall ingress policies.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized network traffic from Pods on other nodes to bypass host firewall policies.
The attack vector is adjacent network access with low complexity and requires no privileges or user interaction.
The impact includes a loss of confidentiality and integrity of data, as unauthorized traffic can be permitted, but it does not affect availability.
This could lead to potential exposure of sensitive data or unauthorized access within your network environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when Cilium versions 1.18.0 through 1.18.5 have Native Routing, WireGuard, and Node Encryption enabled simultaneously, causing ingress traffic arriving via the WireGuard interface (cilium_wg0) to bypass host firewall policies.
To detect if your system is affected, check if your Cilium version is within the vulnerable range and if the three features (Native Routing, WireGuard, and Node Encryption) are enabled.
A practical way to verify the presence of the vulnerability is to inspect routing rules related to the WireGuard interface (cilium_wg0) and whether ingress traffic is properly routed through the host network stack for policy enforcement.
Suggested commands to help detect or mitigate the issue by explicitly routing ingress traffic from cilium_wg0 to cilium_host (which also serves as a detection step) are:
- For IPv4 traffic: ip rule add iif cilium_wg0 table 300
- ip route add default dev cilium_host table 300
- For IPv6 traffic: ip -6 rule add iif cilium_wg0 table 300
- ip -6 route add default dev cilium_net table 300
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Cilium version 1.18.6, so the primary mitigation step is to upgrade your Cilium deployment to version 1.18.6 or later.
If immediate upgrade is not possible, a locally validated mitigation involves explicitly routing all ingress traffic from the WireGuard interface (cilium_wg0) to the cilium_host interface to ensure host firewall policies are applied.
The recommended commands to implement this mitigation on each Cilium node are:
- For IPv4 traffic: ip rule add iif cilium_wg0 table 300
- ip route add default dev cilium_host table 300
- For IPv6 traffic: ip -6 rule add iif cilium_wg0 table 300
- ip -6 route add default dev cilium_net table 300