Description
Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.
Published: 2026-07-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cilium is a networking solution that uses CiliumLocalRedirectPolicies to control traffic routing. Prior to version 1.17.16, and in certain 1.18.x and 1.19.x releases, administrators could create these policies with an addressMatcher that accepts arbitrary ClusterIP values. This flaw allows a user with policy creation rights to specify any IP in any namespace, effectively hijacking traffic destined for a Service and redirecting it to an attacker‑controlled endpoint. Deleting such a policy can also corrupt Cilium’s internal service state, causing service translation to fail for the affected Service. The primary impact is cross‑namespace service traffic hijacking and potential disruption of service availability.

Affected Systems

The vulnerability exists in Cilium. It affects all releases prior to 1.17.16, versions 1.18.2 through 1.18.9, and 1.19.0 through 1.19.3. Upgrading to 1.17.16, 1.18.10, or 1.19.4 resolves the issue.

Risk and Exploitability

CVSS score of 6.9 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, so the likelihood of exploitation is unknown. The attack requires the ability to create or delete CiliumLocalRedirectPolicies, typically requiring cluster‑level privileges. If an attacker gains such privileges, they can hijack service traffic across namespaces or cause denial of service by corrupting the service state.

Generated by OpenCVE AI on July 8, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cilium to a fixed version (at least 1.17.16, 1.18.10, or 1.19.4).
  • Restrict the creation of CiliumLocalRedirectPolicies to trusted cluster administrators and enforce namespace scope checks.
  • Review existing policies for arbitrary addressMatcher entries across namespaces and delete or modify policies that expose services beyond the intended namespace.

Generated by OpenCVE AI on July 8, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6h5-q3q6-f87x CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
History

Tue, 07 Jul 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Cilium
Cilium cilium
Vendors & Products Cilium
Cilium cilium

Tue, 07 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Description Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.
Title CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T20:44:54.972Z

Reserved: 2026-06-11T15:46:12.317Z

Link: CVE-2026-53935

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T04:30:05Z

Weaknesses