CVE-2026-53935
Received Received - Intake

Traffic Hijacking via Arbitrary ClusterIP in Cilium

Vulnerability report for CVE-2026-53935, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
cilium cilium 1.17.16
cilium cilium to 1.17.16 (exc)
cilium cilium From 1.18.2 (inc) to 1.18.9 (inc)
cilium cilium From 1.19.0 (inc) to 1.19.3 (inc)
cilium cilium 1.18.10
cilium cilium 1.19.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Cilium, a networking, observability, and security solution. In certain versions prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users who have the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs using the addressMatcher feature. This allows them to hijack traffic intended for Services in any namespace, bypassing the namespace scoping that is normally enforced by serviceMatcher.

Additionally, deleting such a maliciously crafted policy can corrupt Cilium's internal service state and stop service translation for the affected Service. The issue has been fixed in versions 1.17.16, 1.18.10, and 1.19.4.

Impact Analysis

This vulnerability can impact you by allowing an attacker with permissions to create CiliumLocalRedirectPolicies to hijack network traffic intended for services in any namespace, potentially redirecting or intercepting sensitive data.

Furthermore, deleting such a malicious policy can corrupt the internal service state of Cilium, causing service translation to stop for the affected service, which can lead to denial of service or disruption of network communications.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cilium to one of the fixed versions: 1.17.16, 1.18.10, or 1.19.4.

Avoid allowing users to create CiliumLocalRedirectPolicies until the upgrade is applied, as these policies can be exploited to hijack traffic and corrupt internal service state.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart