from 0, < 1.9.16, >= 1.10.0, < 1.10.11, >= 1.11.0, < 1.11.5
HIGH8.0CVE-2024-28860Insecure IPsec transparent encryption in github.com/cilium/cilium >= 1.14.0, < 1.14.9, >= 1.15.0, < 1.15.3 | >= 1.4.0, <= 1.13.14
HIGH7.9CVE-2026-41520Cillium exposes sensitive information included in the cilium-bugtool debug archive from 0, < 1.17.15, >= 1.18.0, < 1.18.9, >= 1.19.0, < 1.19.3
HIGH7.9Cilium leaks sensitive information in cilium-bugtool
>= 1.15.4, < 1.15.6
HIGH7.5Improper Privilege Management in Cilium
from 0, < 1.9.16, >= 1.10.0, < 1.10.11, >= 1.11.0, < 1.11.5
HIGH7.2HTTP policy bypass in github.com/cilium/cilium
>= 1.13.9, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
HIGH7.2Debug mode leaks confidential data in Cilium
>= 1.7.0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
MEDIUM6.9Bypass of namespace restrictions in CiliumNetworkPolicy
from 0, < 1.12.14, >= 1.13.0, < 1.13.7, >= 1.14.0, < 1.14.2
MEDIUM6.8Cilium agent's race condition may lead to policy bypass for Host Firewall policy
>= 1.15.4, < 1.16.0
MEDIUM6.5Cilium vulnerable to information leakage via insecure default Hubble UI CORS header
>= 1.14.0, < 1.16.5
MEDIUM6.5Cilium eBPF filters may be temporarily removed during agent restart
>= 1.13.0, < 1.13.1
MEDIUM6.1Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
>= 1.18.0, < 1.18.6
MEDIUM6.1Unencrypted traffic between nodes with WireGuard in github.com/cilium/cilium
>= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
MEDIUM6.1Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium
from 0, < 1.13.13, >= 1.14.0, < 1.14.8, >= 1.15.0, < 1.15.2
MEDIUM6.1Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium
from 0, < 1.14.7
MEDIUM6.1Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium
>= 1.14.0, < 1.14.7
MEDIUM5.8Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium
>= 1.16.0, < 1.16.4
MEDIUM5.4Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic
from 0, < 1.17.14, >= 1.18.0, < 1.18.8, >= 1.19.0, < 1.19.2
MEDIUM5.4Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API
>= 1.15.0, < 1.16.1
MEDIUM5.4Cilium NetworkPolicy bypass via pod labels
from 0, < 1.12.14, >= 1.13.0, < 1.13.7, >= 1.14.0, < 1.14.2
MEDIUM5.3DoS in Cilium agent DNS proxy from crafted DNS responses
>= 1.15.4, < 1.16.5
MEDIUM5.3Potential HTTP policy bypass when using header rules in Cilium
from 0, < 1.11.16, >= 1.12.0, < 1.12.9, >= 1.13.0, < 1.13.2
MEDIUM4.4cilium-agent container can access the host via `hostPath` mount
from 0, < 1.11.15, >= 1.12.0, < 1.12.8, >= 1.13.0, < 1.13.1
MEDIUM4.2Cilium vulnerable to potential network policy bypass when routing IPv6 traffic
from 0, < 1.11.15, >= 1.12.0, < 1.12.8, >= 1.13.0, < 1.13.1
MEDIUM4.0Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic
from 0, < 1.16.17, >= 1.17.0, < 1.17.10, >= 1.18.0, < 1.18.4
MEDIUM4.0Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters
>= 1.13.0, < 1.17.3
MEDIUM4.0CIDR deny policies may not take effect when a more narrow CIDR allow is present
>= 1.15.4, < 1.16.0
MEDIUM4.0Cilium's Gateway API route matching order contradicts specification
>= 1.15.0, < 1.16.1
LOW3.5Denial of service via Kubernetes annotations in specific Cilium configurations
from 0, < 1.12.14, >= 1.13.0, < 1.13.7, >= 1.14.0, < 1.14.2
LOW3.4Node based network policies may incorrectly allow workload traffic
>= 1.16.0, < 1.17.2
LOW3.4Cilium vulnerable to information leakage via incorrect ReferenceGrant handling
from 0, < 1.13.4
LOW3.2East-west traffic not subject to egress policy enforcement for requests via Gateway API load balancers
>= 1.15.0, < 1.17.2