{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/envoy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cilium v1.19","Cilium v1.18","Cilium v1.17"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","kubernetes","container","cilium","envoy","local-privilege-escalation","information-disclosure","denial-of-service","misconfiguration"],"_cs_type":"advisory","_cs_vendors":["Cilium"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-49445, has been identified in Cilium, a widely used open-source networking, observability, and security solution for Kubernetes. The issue arises when Cilium's Layer 7 (L7) functionality is enabled, causing the underlying Envoy proxy instance to create a world-accessible administration socket on cluster nodes. This misconfiguration allows any local attacker who has gained access to a node to exploit the Envoy admin endpoints. Such exploitation can result in the disclosure of sensitive data, including TLS secrets, and significant operational impact, such as disrupting cluster traffic or forcibly terminating the Envoy process. The vulnerability affects Cilium versions 1.19.0 to 1.19.1, 1.18.0 to 1.18.7, and all versions prior to 1.17.14, and there is currently no known workaround. Patches have been released in versions 1.19.2, 1.18.8, and 1.17.14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker first gains local access to a Kubernetes cluster node where Cilium is deployed.\u003c/li\u003e\n\u003cli\u003eThe node is running a vulnerable version of Cilium with L7 functionality enabled, causing an Envoy proxy instance to be deployed.\u003c/li\u003e\n\u003cli\u003eThe Envoy instance, due to the misconfiguration, creates a world-accessible Unix domain socket for its administration interface.\u003c/li\u003e\n\u003cli\u003eThe local attacker discovers and accesses this world-accessible Envoy admin socket.\u003c/li\u003e\n\u003cli\u003eThe attacker then leverages the accessible admin endpoints to query for sensitive configuration data, such as TLS secrets.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker utilizes the admin endpoints to issue commands that disrupt network traffic within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker might also terminate the Envoy process, leading to a denial of service for L7-managed traffic.\u003c/li\u003e\n\u003cli\u003eThe final objective is either information exfiltration (e.g., TLS secrets) or denial of service to cluster resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a critical threat to the confidentiality and availability of Kubernetes clusters using Cilium with L7 functionality. Exploitation by a local attacker can directly lead to the exposure of highly sensitive information, such as TLS private keys, which could then be used for decrypting network communications, impersonating services, or escalating privileges. Beyond data theft, the attacker can disrupt or completely halt network traffic managed by Envoy, causing a denial of service for critical applications and services running within the cluster. Terminating the Envoy process directly impacts service availability. All deployment models, including embedded and standalone Envoy, are affected, increasing the potential blast radius across diverse Cilium installations. The source does not provide specific victim counts but highlights significant consequences for any affected organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all affected Cilium installations to a patched version (v1.19.2, v1.18.8, or v1.17.14) to remediate CVE-2026-49445.\u003c/li\u003e\n\u003cli\u003eImplement robust host-level security measures to prevent unauthorized local access to Kubernetes cluster nodes, thereby mitigating the prerequisite for this local exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T17:08:10Z","date_published":"2026-07-06T17:08:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cilium-envoy-socket-vulnerability/","summary":"When Cilium L7 functionality is enabled, a world-accessible Envoy admin socket is inadvertently created on cluster nodes. This misconfiguration (CVE-2026-49445) allows a local attacker to gain unauthorized access to Envoy's administrative endpoints, leading to sensitive information disclosure, such as the exposure of TLS secrets, and significant cluster disruption, including the interruption of traffic and the termination of Envoy processes.","title":"Cilium L7 Envoy Admin Socket Vulnerability (CVE-2026-49445)","url":"https://feed.craftedsignal.io/briefs/2026-07-cilium-envoy-socket-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Envoy","version":"https://jsonfeed.org/version/1.1"}