CVE-2026-56743 in Cilium
Summary
by MITRE • 07/15/2026
Cilium is a networking, observability, and security solution. From 1.19.0 to 1.19.4, standard Kubernetes NetworkPolicy specifications using CIDR-based ipBlock rules without pod or namespace selectors erroneously generate a wildcard namespace allow rule when Cilium is configured with a custom clusterName rather than the default any value. The parser incorrectly instantiates a pod selector on selectorless peer definitions, allowing traffic from other workloads in the same namespace as the subject of the policy. This issue is fixed in version 1.19.5.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
Cilium represents a sophisticated networking, observability, and security solution designed to provide advanced network policies and traffic management for Kubernetes environments. The vulnerability under analysis affects versions 1.19.0 through 1.19.4 where the implementation exhibits a critical flaw in how NetworkPolicy specifications are processed when utilizing CIDR-based ipBlock rules without associated pod or namespace selectors. This issue specifically manifests when Cilium operates with a custom clusterName configuration rather than maintaining the default any value, creating a dangerous misconfiguration that undermines network security boundaries.
The technical root cause of this vulnerability stems from an incorrect parser behavior that erroneously generates wildcard namespace allow rules inappropriately. When processing standard Kubernetes NetworkPolicy specifications containing CIDR-based ipBlock rules without pod or namespace selectors, the parser incorrectly instantiates a pod selector on selectorless peer definitions. This malfunction creates an unintended security loophole where traffic is permitted from other workloads within the same namespace as the subject of the policy, effectively bypassing the intended network isolation boundaries that should exist between different workloads.
This vulnerability directly impacts operational security by creating unexpected network access paths that could be exploited by malicious actors or compromised workloads. The incorrect instantiation of pod selectors on selectorless peer definitions allows for lateral movement within namespaces, undermining fundamental Kubernetes security principles and potentially enabling privilege escalation attacks. The issue becomes particularly dangerous when combined with custom clusterName configurations, as it creates a persistent backdoor that remains undetected during normal operations while maintaining unauthorized access privileges.
The flaw demonstrates characteristics consistent with CWE-284 (Improper Access Control) and aligns with ATT&CK techniques related to privilege escalation and lateral movement within containerized environments. Organizations utilizing Cilium in production environments with custom clusterName configurations face significant risk of unauthorized network access between workloads, particularly when deploying standard Kubernetes NetworkPolicy specifications that rely on CIDR-based ipBlock rules without explicit pod or namespace selectors.
Security mitigation requires immediate deployment of Cilium version 1.19.5 which contains the necessary fix for this vulnerability. Organizations should also conduct comprehensive audits of their existing network policies to identify any potentially affected configurations, particularly those using CIDR-based ipBlock rules with custom clusterName settings. Additional monitoring should be implemented to detect unusual traffic patterns that might indicate exploitation attempts, while security teams should review and validate all network policy implementations to ensure proper namespace isolation boundaries are maintained across their Kubernetes clusters.