CVE-2026-53935 in Cilium
Summary
by MITRE • 07/07/2026
Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/07/2026
The vulnerability described affects Cilium, a comprehensive networking, observability, and security solution widely used in containerized environments for managing network policies and service discovery. This security flaw exists in specific version ranges spanning multiple releases, creating a significant risk for Kubernetes clusters utilizing Cilium's local redirect policy functionality. The issue stems from insufficient validation mechanisms within the CiliumLocalRedirectPolicy implementation that allows unauthorized users to manipulate service targeting through the addressMatcher parameter.
The technical exploitation of this vulnerability occurs when users with sufficient privileges can create CiliumLocalRedirectPolicies that specify arbitrary ClusterIP addresses via the addressMatcher field. This capability enables attackers to redirect traffic intended for legitimate services to malicious destinations, effectively hijacking network communication. The flaw specifically bypasses the namespace scoping enforcement mechanisms that should normally restrict service access to authorized namespaces, as controlled by the serviceMatcher component. This represents a critical authorization bypass vulnerability where unauthorized traffic redirection becomes possible regardless of the target service's namespace restrictions.
The operational impact of this vulnerability extends beyond simple traffic hijacking to include potential service disruption and complete breakdown of Cilium's internal service state management. When such malicious policies are deleted, they can corrupt Cilium's internal data structures responsible for maintaining service translation mappings, leading to complete service translation failures for the affected cluster services. This corruption effectively renders services inaccessible within the cluster, creating both security and availability concerns that can severely impact cluster operations and application availability.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a privilege escalation issue where low-privilege users can gain elevated capabilities through manipulation of policy definitions. From an ATT&CK perspective, this maps to T1071.004 (Application Layer Protocol: DNS) and T1566 (Phishing) as attackers could potentially redirect traffic to malicious endpoints or create false service responses. The attack vector specifically leverages the CiliumLocalRedirectPolicy API endpoint, which should require appropriate authorization controls but fails to validate addressMatcher inputs against legitimate service boundaries.
Mitigation strategies involve upgrading to the fixed versions 1.17.16, 1.18.10, and 1.19.4, which implement proper validation mechanisms for addressMatcher parameters and enforce namespace scoping restrictions. Organizations should also review existing CiliumLocalRedirectPolicies within their clusters to identify and remove any potentially malicious configurations. Network segmentation controls should be implemented to limit the ability to create such policies to trusted administrators only, while monitoring systems should be configured to detect anomalous policy creation patterns that might indicate exploitation attempts. Additionally, regular auditing of service access controls and network policy enforcement mechanisms should be conducted to ensure proper isolation between namespaces and prevent similar authorization bypass vulnerabilities from occurring in other components of the Cilium ecosystem.