CVE-2026-26963 PUBLISHED

Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled

Assigner: GitHub_M
Reserved: 16.02.2026 Published: 19.02.2026 Updated: 20.02.2026

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Attack Vector	Adjacent Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	cilium
Product	cilium
Versions	Version >= 1.18.0, < 1.18.6 is affected

References

https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3
https://github.com/cilium/cilium/pull/42892
https://github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885
https://github.com/cilium/cilium/releases/tag/v1.18.6

Problem Types

CWE-863: Incorrect Authorization CWE