Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Cilium L7 proxy bypasses Kubernetes NetworkPolicy on same-node traffic
GHSA-hxv8-4j4r-cqgv
CVE-2026-33726
GO-2026-4856
Summary
Cilium, a networking tool for Kubernetes, may not enforce network policies for traffic between pods and L7 services on the same node. This can happen in certain Cilium deployments, such as Amazon EKS with Cilium ENI mode. To ensure security, update to a fixed version of Cilium or consider disabling Per-Endpoint Routing if it's not essential.
What to do
- Update github.com cilium to version 1.17.14.
- Update github.com cilium to version 1.18.8.
- Update github.com cilium to version 1.19.2.
- Update cilium github.com/cilium/cilium to version 1.19.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | cilium | <= 1.17.14 | 1.17.14 |
| github.com | cilium | > 1.18.0 , <= 1.18.8 | 1.18.8 |
| github.com | cilium | > 1.19.0 , <= 1.19.2 | 1.19.2 |
| cilium | github.com/cilium/cilium | > 1.19.0 , <= 1.19.2 | 1.19.2 |
Original title
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from ...
Original description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
- https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv
- https://github.com/cilium/cilium/pull/44693
- https://docs.cilium.io/en/stable/network/concepts/routing/#routing
- https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy
- https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management
- https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routin...
- https://github.com/advisories/GHSA-hxv8-4j4r-cqgv
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 26 Mar 2026