PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53935 cilium CVE debrief

CVE-2026-53935 is a medium-severity vulnerability in Cilium, a networking, observability, and security solution. The issue allows users with the ability to create CiliumLocalRedirectPolicies to specify arbitrary ClusterIPs, enabling traffic hijacking to Services in any namespace and bypassing namespace scoping. This affects Cilium versions prior to 1.17.16, 1.18.9, and 1.19.3. The vulnerability is fixed in versions 1.17.16, 1.18.10, and 1.19.4. Users with administrative access to create CiliumLocalRedirectPolicies should be aware of this vulnerability and take steps to upgrade to a patched version.

Vendor
cilium
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of Cilium, particularly those with administrative access to create CiliumLocalRedirectPolicies, should be aware of this vulnerability and take steps to upgrade to a patched version. Operators, platform administrators, and security teams responsible for managing Cilium deployments should review the vulnerability and plan for remediation.

Technical summary

The vulnerability exists in Cilium's Local Redirect Policy feature. Users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, allowing them to hijack traffic to Services in any namespace. This bypasses namespace scoping enforced by serviceMatcher. Deleting such a policy can also corrupt Cilium's internal service state and stop service translation for the affected Service. The issue is fixed in Cilium versions 1.17.16, 1.18.10, and 1.19.4.

Defensive priority

Medium priority due to the potential for traffic hijacking and service disruption.

Recommended defensive actions

  • Upgrade to Cilium version 1.17.16, 1.18.10, or 1.19.4, or later.
  • Restrict access to create CiliumLocalRedirectPolicies to trusted users.
  • Monitor Cilium logs for suspicious activity related to Local Redirect Policies.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-07-07T21:17:27.000Z and has not been modified since then. The NVD entry is currently unmodified. There are no additional details available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the affected Cilium versions and upgrade to a patched version if necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:27.000Z and has not been modified since then.