<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cilium V1.19 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cilium-v1.19/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 17:08:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cilium-v1.19/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cilium L7 Envoy Admin Socket Vulnerability (CVE-2026-49445)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cilium-envoy-socket-vulnerability/</link><pubDate>Mon, 06 Jul 2026 17:08:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cilium-envoy-socket-vulnerability/</guid><description>When Cilium L7 functionality is enabled, a world-accessible Envoy admin socket is inadvertently created on cluster nodes. This misconfiguration (CVE-2026-49445) allows a local attacker to gain unauthorized access to Envoy's administrative endpoints, leading to sensitive information disclosure, such as the exposure of TLS secrets, and significant cluster disruption, including the interruption of traffic and the termination of Envoy processes.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-49445, has been identified in Cilium, a widely used open-source networking, observability, and security solution for Kubernetes. The issue arises when Cilium's Layer 7 (L7) functionality is enabled, causing the underlying Envoy proxy instance to create a world-accessible administration socket on cluster nodes. This misconfiguration allows any local attacker who has gained access to a node to exploit the Envoy admin endpoints. Such exploitation can result in the disclosure of sensitive data, including TLS secrets, and significant operational impact, such as disrupting cluster traffic or forcibly terminating the Envoy process. The vulnerability affects Cilium versions 1.19.0 to 1.19.1, 1.18.0 to 1.18.7, and all versions prior to 1.17.14, and there is currently no known workaround. Patches have been released in versions 1.19.2, 1.18.8, and 1.17.14.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker first gains local access to a Kubernetes cluster node where Cilium is deployed.</li>
<li>The node is running a vulnerable version of Cilium with L7 functionality enabled, causing an Envoy proxy instance to be deployed.</li>
<li>The Envoy instance, due to the misconfiguration, creates a world-accessible Unix domain socket for its administration interface.</li>
<li>The local attacker discovers and accesses this world-accessible Envoy admin socket.</li>
<li>The attacker then leverages the accessible admin endpoints to query for sensitive configuration data, such as TLS secrets.</li>
<li>Alternatively, the attacker utilizes the admin endpoints to issue commands that disrupt network traffic within the cluster.</li>
<li>The attacker might also terminate the Envoy process, leading to a denial of service for L7-managed traffic.</li>
<li>The final objective is either information exfiltration (e.g., TLS secrets) or denial of service to cluster resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability poses a critical threat to the confidentiality and availability of Kubernetes clusters using Cilium with L7 functionality. Exploitation by a local attacker can directly lead to the exposure of highly sensitive information, such as TLS private keys, which could then be used for decrypting network communications, impersonating services, or escalating privileges. Beyond data theft, the attacker can disrupt or completely halt network traffic managed by Envoy, causing a denial of service for critical applications and services running within the cluster. Terminating the Envoy process directly impacts service availability. All deployment models, including embedded and standalone Envoy, are affected, increasing the potential blast radius across diverse Cilium installations. The source does not provide specific victim counts but highlights significant consequences for any affected organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade all affected Cilium installations to a patched version (v1.19.2, v1.18.8, or v1.17.14) to remediate CVE-2026-49445.</li>
<li>Implement robust host-level security measures to prevent unauthorized local access to Kubernetes cluster nodes, thereby mitigating the prerequisite for this local exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>vulnerability</category><category>kubernetes</category><category>container</category><category>cilium</category><category>envoy</category><category>local-privilege-escalation</category><category>information-disclosure</category><category>denial-of-service</category><category>misconfiguration</category></item></channel></rss>