CVE-2026-49445 in Cilium
Summary
by MITRE • 07/15/2026
Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes, allowing a local attacker to access Envoy admin endpoints, expose TLS secrets, disrupt cluster traffic, or terminate Envoy. This issue is fixed in versions 1.17.14, 1.18.8, and 1.19.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Cilium represents a critical security flaw that affects the network security solution's handling of Layer 7 (L7) functionality within Kubernetes clusters. When enabled, this feature causes the embedded or standalone Envoy proxy instance to create an administrative socket file that is accessible to all local users on the cluster nodes. This design flaw creates an unauthorized access vector that significantly undermines the security posture of containerized environments relying on Cilium for network policy enforcement and traffic management.
The technical implementation of this vulnerability stems from improper socket permission handling within the Envoy proxy integration. Specifically, when L7 functionality is activated, the administrative socket file named admin.sock is created with world-readable permissions, allowing any local user or process to connect to the Envoy admin interface. This exposure enables attackers to execute a wide range of malicious activities including accessing sensitive TLS certificate information, modifying proxy configurations, disrupting network traffic flows, and potentially terminating the Envoy process entirely. The vulnerability manifests as a direct consequence of insufficient access control mechanisms and improper privilege separation between different user contexts on the host system.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass significant threats to cluster availability and data confidentiality. Attackers with local access can exploit this weakness to extract TLS secrets, which may include private keys, certificates, or other cryptographic material essential for maintaining secure communications between services. Additionally, the ability to manipulate Envoy's administrative interface allows threat actors to modify routing rules, inject traffic manipulation, or cause service disruptions that could compromise the integrity of cluster operations. This vulnerability particularly affects environments where multiple users share node access or where privilege escalation attacks are possible, making it a serious concern for organizations implementing zero-trust security models.
The remediation approach involves upgrading Cilium to versions 1.17.14, 1.18.8, or 1.19.2, which address the socket permission issue through proper access control enforcement. These patched versions implement stricter file permissions for the admin.sock and ensure that only authorized processes can access the Envoy administrative interface. Organizations should also consider implementing additional security controls such as restricting local user access to cluster nodes, monitoring for unauthorized socket connections, and enforcing principle of least privilege for node-level operations. This vulnerability aligns with CWE-732: Incorrect Permission Assignment for Critical Resource and represents a typical example of insecure default configurations that can be exploited through local privilege escalation techniques categorized under ATT&CK technique T1068: Exploitation for Privilege Escalation.
The security implications of this flaw highlight the critical importance of proper socket management and access control in distributed systems. The vulnerability demonstrates how seemingly minor implementation details in proxy integration can create significant security risks, particularly in multi-tenant environments where local access controls may be less stringent. Organizations should conduct thorough assessments of their Cilium deployments to ensure all affected versions have been patched and implement monitoring solutions to detect potential exploitation attempts against administrative interfaces. Regular security audits of containerized environments should include verification of socket permissions and access controls for all network proxy components to prevent similar vulnerabilities from being introduced in future deployments.