Skip to content
CVSS 9.2 · CRITICAL

CVE-2026-49445

Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes, allowing a local attacker to access Envoy admin endpoints, expose TLS secrets, disrupt cluster traffic, or terminate Envoy. This issue is fixed in versions 1.17.14, 1.18.8, and 1.19.2.

View on NVD

Analysis

Cilium networking installations are vulnerable to local privilege escalation and data theft via a world-accessible Envoy admin socket. Attackers with access to a node or a compromised pod can expose TLS secrets, terminate Envoy processes, or disrupt cluster-wide traffic. Users should upgrade to Cilium 1.17.14, 1.18.8, or 1.19.2 immediately.

Relevant roles

CloudCyberSecurityBackendKubernetesDockerLinux

Severity

Score: 9.2(CRITICAL)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
AV: LOCAL
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: LOW
A: HIGH
Weakness (CWE): CWE-732

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes, allowing a local attacker to access Envoy admin endpoints, expose TLS secrets, disrupt cluster traffic, or terminate Envoy. This issue is fixed in versions 1.17.14, 1.18.8, and 1.19.2.

Published: 7/15/2026, 8:17:10 PM
Last modified: 7/15/2026, 8:54:43 PM

References

HomeEventsBlogResourcesTeam