CVE-2026-56742 in Cilium
Summary
by MITRE • 07/15/2026
Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant authorization mechanism. Gateway API functionality is disabled by default. This issue is fixed in versions 1.17.17, 1.18.11, and 1.19.5.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability affects Cilium clusters that utilize the Gateway API functionality, which provides a standardized way to configure traffic routing and management within service meshes and cloud native environments. The issue exists in versions prior to 1.17.17, 1.18.11, and 1.19.5 where the authorization mechanisms for HTTPRoute resources are improperly implemented. When Gateway API is enabled, users who possess permissions to create or update namespaced HTTPRoutes can exploit a flaw that allows them to mirror HTTP traffic to any Service regardless of namespace restrictions. This represents a significant privilege escalation vulnerability as it bypasses the intended ReferenceGrant authorization mechanism that should control cross-namespace service references.
The technical flaw stems from insufficient validation within the HTTPRoute processing logic where the system fails to properly enforce namespace boundaries when determining which services can be referenced through traffic mirroring operations. Attackers with minimal permissions to manipulate HTTPRoute resources in their own namespace can leverage this vulnerability to redirect traffic to services they shouldn't have access to, effectively breaking the isolation guarantees that should exist between different namespaces in Kubernetes environments. This behavior violates fundamental security principles of least privilege and namespace isolation that are critical for multi-tenant cluster operations.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enable data exfiltration, service disruption, or lateral movement within the cluster. An attacker could use this capability to monitor traffic flowing to sensitive services in other namespaces, potentially accessing confidential information or disrupting critical operations. The vulnerability is particularly concerning because it affects clusters where Gateway API functionality is enabled, which is commonly used in production environments for advanced traffic management capabilities. This issue demonstrates a failure in the authorization model implementation that could allow attackers to bypass security controls designed to prevent cross-namespace access patterns.
The fix implemented in versions 1.17.17, 1.18.11, and 1.19.5 addresses the core authorization flaw by properly enforcing ReferenceGrant mechanisms when processing HTTPRoute traffic mirroring operations. Organizations should immediately upgrade their Cilium installations to these patched versions to eliminate the risk of unauthorized traffic redirection. System administrators should also review existing HTTPRoute configurations and monitor for any unusual traffic patterns that might indicate exploitation attempts.
This vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific implementation weakness in the Gateway API controller's authorization logic. From an ATT&CK perspective, this issue could be leveraged as part of a privilege escalation technique to move laterally within a cluster environment, potentially mapping to techniques such as T1078 (Valid Accounts) and T1566 (Phishing). The vulnerability highlights the importance of proper authorization enforcement in API controllers and demonstrates how seemingly minor implementation flaws can have significant security implications in complex networking solutions. Organizations should also consider implementing additional monitoring around HTTPRoute creation and modification activities to detect potential exploitation attempts.