CVE-2026-56742
Undergoing Analysis
Undergoing Analysis - In Progress
Authorization Bypass in Cilium Gateway API
Vulnerability report for CVE-2026-56742, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-15
Last updated on: 2026-07-15
Assigner: GitHub, Inc.
Description
Description
Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant authorization mechanism. Gateway API functionality is disabled by default. This issue is fixed in versions 1.17.17, 1.18.11, and 1.19.5.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cilium | cilium | 1.17.17 |
| cilium | cilium | 1.18.11 |
| cilium | cilium | 1.19.5 |
| cilium | cilium | to 1.17.17 (exc) |
| cilium | cilium | From 1.18.0 (inc) to 1.18.11 (exc) |
| cilium | cilium | From 1.19.0 (inc) to 1.19.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |