EXECUTIVE SUMMARY:
CVE-2026-26963 is a moderate severity vulnerability with a CVSS score of 6.1 affecting the Go based container networking package where host firewall policies may not be enforced correctly when Native Routing WireGuard and the beta Node Encryption feature are enabled together. Under this configuration traffic originating from pods on different nodes can bypass expected host level filtering and be incorrectly permitted because decrypted WireGuard traffic does not traverse the normal policy enforcement path. Although these features are disabled by default environments that enable them may face unintended exposure and weakened network segmentation controls. The issue impacts versions 1.18.0 through 1.18.5 and is fixed in version 1.18.6 which restores proper policy handling. There is no fully validated workaround across production environments, but a limited mitigation demonstrated in a local setup suggests routing all ingress traffic from the cilium_wg0 interface to the cilium_host interface so host policies can be applied before further processing. Applying dedicated routing rules for both IPv4 and IPv6 traffic helps ensure decrypted traffic is inspected by firewall controls reducing the possibility of cross node policy bypass until systems are updated to the patched release.
RECOMMENDATION:
We strongly recommend update Cilium container networking package to version 1.18.6.
REFERENCES:
The following reports contain further technical details: