GHSA-5r23-prx4-mqg3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5r23-prx4-mqg3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5r23-prx4-mqg3
- Aliases
- Downstream
- Published
- 2026-02-19T19:39:01Z
- Modified
- 2026-02-23T19:40:58.531438Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
- Details
-
Impact
Host Policies will incorrectly permit traffic from Pods on other nodes when all of the following configurations are enabled: * Native Routing * WireGuard * Node Encryption (beta)
These options are disabled by default in Cilium.
Patches
This issue was fixed by #42892.
This issue affects:
- Cilium v1.18 between v1.18.0 and v1.18.5 inclusive
This issue is fixed in:
- Cilium v1.18.6
Workarounds
There is currently no officially verified or comprehensive workaround for this issue. The following procedure has been validated strictly within a local 'Kind' environment and has not undergone exhaustive testing across diverse production architectures. Proceed with caution.
To mitigate the identified traffic bypass, ensure all ingress traffic from the
cilium_wg0interface is explicitly routed tocilium_hostfor policy enforcement. This ensures that host-level security policies are applied to decrypted WireGuard traffic. Execute the following configuration on each CiliumNode:# IPv4 Traffic ip rule add iif cilium_wg0 table 300 ip route add default dev cilium_host table 300 # IPv6 Traffic ip -6 rule add iif cilium_wg0 table 300 ip -6 route add default dev cilium_net table 300Acknowledgements
Special thanks to @julianwiedmann for reporting the issue and helping with the resolution.
For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-02-19T19:39:01Z", "severity": "MODERATE", "nvd_published_at": "2026-02-20T00:16:16Z", "cwe_ids": [ "CWE-863" ] }- References
-
- https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3
- https://nvd.nist.gov/vuln/detail/CVE-2026-26963
- https://github.com/cilium/cilium/pull/42892
- https://github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885
- https://github.com/cilium/cilium
- https://github.com/cilium/cilium/releases/tag/v1.18.6
Affected packages
Go / github.com/cilium/cilium
Package
- Name
- github.com/cilium/cilium
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/cilium/cilium