PatchSiren cyber security CVE debrief
CVE-2026-49445 cilium CVE debrief
CVE-2026-49445 is a critical vulnerability in Cilium, a networking, observability, and security solution. When Cilium's L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes. This allows a local attacker to access Envoy admin endpoints, potentially exposing TLS secrets, disrupting cluster traffic, or terminating Envoy. The issue is fixed in Cilium versions 1.17.14, 1.18.8, and 1.19.2. Affected systems should be patched immediately.
- Vendor
- cilium
- Product
- Unknown
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
System administrators and security teams managing Cilium installations, especially those with L7 functionality enabled, should be aware of this vulnerability and take immediate action to patch affected systems. This includes reviewing current deployments, assessing potential impact, and applying necessary updates or mitigations.
Technical summary
The vulnerability arises from Cilium's L7 functionality, which, when enabled, causes the Envoy instance to create a world-accessible admin socket (admin.sock) on cluster nodes. This socket allows unauthorized access to Envoy admin endpoints, potentially leading to sensitive information disclosure, traffic disruption, or service termination. The vulnerability is characterized by the following: - CVSS Score: 9.2 - CVSS Severity: Critical - CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H - CWE: 732. The vulnerability was addressed in Cilium versions 1.17.14, 1.18.8, and 1.19.2.
Defensive priority
High priority should be given to patching affected Cilium installations, especially in environments where L7 functionality is enabled. Immediate action is required to prevent potential exploitation and minimize risk to the organization. Compensating controls, such as restricting access to the admin.sock file and monitoring for suspicious activity, should also be considered while patching is in progress or if patching is delayed.
Recommended defensive actions
- Immediately upgrade to Cilium version 1.17.14, 1.18.8, or 1.19.2
- Disable L7 functionality if not required
- Restrict access to the admin.sock file
- Monitor for suspicious activity on Envoy admin endpoints
- Perform a thorough review of current Cilium deployments to identify potential exposure
- Implement additional monitoring for Cilium instances to detect potential exploitation attempts
- Track and document the remediation process for auditing and future reference
Evidence notes
The CVE record was published on 2026-07-15T20:17:10.453Z and was last modified on 2026-07-16T16:19:10.207Z. The NVD entry is currently Undergoing Analysis. The vulnerability was reported by an unknown source and fixed by the Cilium development team. Evidence is limited, and defenders should verify affected systems and review official advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T20:17:10.453Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.