CVE-2026-26963: Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
(updated )
Host Policies will incorrectly permit traffic from Pods on other nodes when all of the following configurations are enabled:
These options are disabled by default in Cilium.
References
- github.com/advisories/GHSA-5r23-prx4-mqg3
- github.com/cilium/cilium
- github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885
- github.com/cilium/cilium/pull/42892
- github.com/cilium/cilium/releases/tag/v1.18.6
- github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3
- nvd.nist.gov/vuln/detail/CVE-2026-26963
Code Behaviors & Features
Detect and mitigate CVE-2026-26963 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →