Threat Advisory

Critical Cilium Vulnerability Allows Cross‐Namespace Service Hijacking

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53935 with a CVSS score of 6.9 is a vulnerability in the Cilium container networking plugin that affects versions 1.19.0 through 1.19.3, 1.18.2 through 1.18.9, and any release prior to 1.17.16. The flaw resides in the CiliumLocalRedirectPolicy’s addressMatcher field, which incorrectly allows users to specify arbitrary ClusterIP addresses, thereby bypassing the namespace‑scoping checks enforced by serviceMatcher. An attacker who can create or modify CiliumLocalRedirectPolicy resources—typically via a compromised Kubernetes API token or excessive RBAC privileges—can craft a policy that redirects traffic destined for services in other namespaces to an attacker‑controlled endpoint, effectively hijacking cross‑namespace communication. This exploitation requires only API access to the cluster and the ability to submit the malicious policy; no additional kernel or host access is needed. Successful exploitation grants the threat actor the ability to intercept, modify, or exfiltrate data flowing between services and can also corrupt Cilium’s internal service state, causing service translation to fail and resulting in denial‑of‑service conditions. The impact is especially severe in multi‑tenant or compliance‑sensitive environments where isolation guarantees are critical, and exploitation is contingent upon the presence of the vulnerable Cilium version and sufficient policy‑creation permissions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-53935 with a CVSS score of 6.9 is a vulnerability in the Cilium container networking plugin that affects versions 1.19.0 through 1.19.3, 1.18.2 through 1.18.9, and any release prior to 1.17.16. The flaw resides in the CiliumLocalRedirectPolicy’s addressMatcher field, which incorrectly allows users to specify arbitrary ClusterIP addresses, thereby bypassing the namespace‑scoping checks enforced by serviceMatcher. An attacker who can create or modify CiliumLocalRedirectPolicy resources—typically via a compromised Kubernetes API token or excessive RBAC privileges—can craft a policy that redirects traffic destined for services in other namespaces to an attacker‑controlled endpoint, effectively hijacking cross‑namespace communication. This exploitation requires only API access to the cluster and the ability to submit the malicious policy; no additional kernel or host access is needed. Successful exploitation grants the threat actor the ability to intercept, modify, or exfiltrate data flowing between services and can also corrupt Cilium’s internal service state, causing service translation to fail and resulting in denial‑of‑service conditions. The impact is especially severe in multi‑tenant or compliance‑sensitive environments where isolation guarantees are critical, and exploitation is contingent upon the presence of the vulnerable Cilium version and sufficient policy‑creation permissions.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update Cilium to version 1.19.4. We recommend you to update Cilium to version 1.18.10. We recommend you to update Cilium to version 1.17.16.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-q6h5-q3q6-f87x

[/emaillocker]
crossmenu