PatchSiren cyber security CVE debrief
CVE-2026-53935 cilium CVE debrief
CVE-2026-53935 is a medium-severity vulnerability in Cilium, a networking, observability, and security solution. The issue allows users with the ability to create CiliumLocalRedirectPolicies to specify arbitrary ClusterIPs, enabling traffic hijacking to Services in any namespace and bypassing namespace scoping. This affects Cilium versions prior to 1.17.16, 1.18.9, and 1.19.3. The vulnerability is fixed in versions 1.17.16, 1.18.10, and 1.19.4. Users with administrative access to create CiliumLocalRedirectPolicies should be aware of this vulnerability and take steps to upgrade to a patched version.
- Vendor
- cilium
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of Cilium, particularly those with administrative access to create CiliumLocalRedirectPolicies, should be aware of this vulnerability and take steps to upgrade to a patched version. Operators, platform administrators, and security teams responsible for managing Cilium deployments should review the vulnerability and plan for remediation.
Technical summary
The vulnerability exists in Cilium's Local Redirect Policy feature. Users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, allowing them to hijack traffic to Services in any namespace. This bypasses namespace scoping enforced by serviceMatcher. Deleting such a policy can also corrupt Cilium's internal service state and stop service translation for the affected Service. The issue is fixed in Cilium versions 1.17.16, 1.18.10, and 1.19.4.
Defensive priority
Medium priority due to the potential for traffic hijacking and service disruption.
Recommended defensive actions
- Upgrade to Cilium version 1.17.16, 1.18.10, or 1.19.4, or later.
- Restrict access to create CiliumLocalRedirectPolicies to trusted users.
- Monitor Cilium logs for suspicious activity related to Local Redirect Policies.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-07T21:17:27.000Z and has not been modified since then. The NVD entry is currently unmodified. There are no additional details available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the affected Cilium versions and upgrade to a patched version if necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:27.000Z and has not been modified since then.