Threat Advisory

Cilium Vulnerability Allows Local Envoy Admin Access

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49445 with a CVSS score of 9.2 is a critical vulnerability in Cilium’s L7 networking component that affects Cilium versions 1.19.0 through 1.19.1, 1.18.0 through 1.18.7, and any release prior to 1.17.14. When L7 functionality is enabled, the Envoy sidecar creates a world‑accessible Unix domain socket on each node, exposing the Envoy admin interface to any local process. An attacker who already has low‑privilege or container‑level access on a compromised node can connect to this socket without authentication, issue admin commands, and either read TLS secrets stored in Envoy, disrupt or reroute traffic, or forcibly terminate the Envoy process. This capability allows the extraction of sensitive certificate material, denial‑of‑service across services, and potential lateral movement within the cluster. The business impact includes loss of confidential data, interruption of critical microservice communication, and erosion of service reliability, which can translate to regulatory penalties and revenue loss. Exploitation requires only local code execution or container compromise on a node where Cilium’s L7 feature is enabled; no remote network access is needed.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49445 with a CVSS score of 9.2 is a critical vulnerability in Cilium’s L7 networking component that affects Cilium versions 1.19.0 through 1.19.1, 1.18.0 through 1.18.7, and any release prior to 1.17.14. When L7 functionality is enabled, the Envoy sidecar creates a world‑accessible Unix domain socket on each node, exposing the Envoy admin interface to any local process. An attacker who already has low‑privilege or container‑level access on a compromised node can connect to this socket without authentication, issue admin commands, and either read TLS secrets stored in Envoy, disrupt or reroute traffic, or forcibly terminate the Envoy process. This capability allows the extraction of sensitive certificate material, denial‑of‑service across services, and potential lateral movement within the cluster. The business impact includes loss of confidential data, interruption of critical microservice communication, and erosion of service reliability, which can translate to regulatory penalties and revenue loss. Exploitation requires only local code execution or container compromise on a node where Cilium’s L7 feature is enabled; no remote network access is needed.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update Cilium to version 1.19.2. We recommend you to update Cilium to version 1.18.8. We recommend you to update Cilium to version 1.17.14.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-3fcv-jvfp-m4q9

[/emaillocker]
crossmenu