Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Cilium: Network Security Policy Bypass with Certain Configurations
CVE-2026-26963
GHSA-5r23-prx4-mqg3
Summary
A security issue in Cilium allows unauthorized traffic to bypass network security policies when specific features are enabled. This can happen if you're using Cilium 1.18 between versions 1.18.0 and 1.18.5. To fix this, update to Cilium version 1.18.6 or use a workaround to manually configure traffic routing to ensure security policies are applied. You should only attempt the workaround if you're familiar with Cilium configuration and have a test environment to verify its effectiveness.
What to do
- Update github.com cilium to version 1.18.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | cilium | > 1.18.0 , <= 1.18.5 | 1.18.6 |
| cilium | cilium | > 1.18.0 , <= 1.18.6 | – |
Original title
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
Original description
### Impact
[Host Policies](https://docs.cilium.io/en/stable/security/policy/language/#host-policies) will incorrectly permit traffic from Pods on other nodes when all of the following configurations are enabled:
* [Native Routing](https://docs.cilium.io/en/stable/network/concepts/routing/#native-routing)
* [WireGuard](https://docs.cilium.io/en/stable/security/policy/language/#host-policies)
* [Node Encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#node-to-node-encryption-beta) (beta)
These options are disabled by default in Cilium.
### Patches
This issue was fixed by #42892.
This issue affects:
* Cilium v1.18 between v1.18.0 and v1.18.5 inclusive
This issue is fixed in:
* Cilium v1.18.6
### Workarounds
There is currently no officially verified or comprehensive workaround for this issue. The following procedure has been validated strictly within a local 'Kind' environment and has not undergone exhaustive testing across diverse production architectures. Proceed with caution.
To mitigate the identified traffic bypass, ensure all ingress traffic from the `cilium_wg0` interface is explicitly routed to `cilium_host` for policy enforcement. This ensures that host-level security policies are applied to decrypted WireGuard traffic. Execute the following configuration on each CiliumNode:
```bash
# IPv4 Traffic
ip rule add iif cilium_wg0 table 300
ip route add default dev cilium_host table 300
# IPv6 Traffic
ip -6 rule add iif cilium_wg0 table 300
ip -6 route add default dev cilium_net table 300
```
### Acknowledgements
Special thanks to @julianwiedmann for reporting the issue and helping with the resolution.
### For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.
[Host Policies](https://docs.cilium.io/en/stable/security/policy/language/#host-policies) will incorrectly permit traffic from Pods on other nodes when all of the following configurations are enabled:
* [Native Routing](https://docs.cilium.io/en/stable/network/concepts/routing/#native-routing)
* [WireGuard](https://docs.cilium.io/en/stable/security/policy/language/#host-policies)
* [Node Encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#node-to-node-encryption-beta) (beta)
These options are disabled by default in Cilium.
### Patches
This issue was fixed by #42892.
This issue affects:
* Cilium v1.18 between v1.18.0 and v1.18.5 inclusive
This issue is fixed in:
* Cilium v1.18.6
### Workarounds
There is currently no officially verified or comprehensive workaround for this issue. The following procedure has been validated strictly within a local 'Kind' environment and has not undergone exhaustive testing across diverse production architectures. Proceed with caution.
To mitigate the identified traffic bypass, ensure all ingress traffic from the `cilium_wg0` interface is explicitly routed to `cilium_host` for policy enforcement. This ensures that host-level security policies are applied to decrypted WireGuard traffic. Execute the following configuration on each CiliumNode:
```bash
# IPv4 Traffic
ip rule add iif cilium_wg0 table 300
ip route add default dev cilium_host table 300
# IPv6 Traffic
ip -6 rule add iif cilium_wg0 table 300
ip -6 route add default dev cilium_net table 300
```
### Acknowledgements
Special thanks to @julianwiedmann for reporting the issue and helping with the resolution.
### For more information
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority. Please also address any comments or questions on this advisory to the same mailing list.
nvd CVSS3.1
5.4
Vulnerability type
CWE-863
Incorrect Authorization
- https://nvd.nist.gov/vuln/detail/CVE-2026-26963
- https://github.com/advisories/GHSA-5r23-prx4-mqg3
- https://github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885 Patch
- https://github.com/cilium/cilium/pull/42892 Issue Tracking
- https://github.com/cilium/cilium/releases/tag/v1.18.6 Release Notes
- https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3 Patch Vendor Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026