Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant authorization mechanism. Gateway API functionality is disabled by default. This issue is fixed in versions 1.17.17, 1.18.11, and 1.19.5.
History

Thu, 16 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 15 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Cilium
Cilium cilium
Vendors & Products Cilium
Cilium cilium

Wed, 15 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Cilium is a networking, observability, and security solution. Prior to 1.17.17, 1.18.11, and 1.19.5, Cilium clusters using Gateway API allow users with permissions to create or update namespaced HTTPRoutes to mirror HTTP traffic to any Service in any namespace, bypassing the ReferenceGrant authorization mechanism. Gateway API functionality is disabled by default. This issue is fixed in versions 1.17.17, 1.18.11, and 1.19.5.
Title Cilium: Namespaced HTTPRoutes can redirect traffic to other namespaces
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-16T12:57:08.040Z

Reserved: 2026-06-22T19:17:28.959Z

Link: CVE-2026-56742

cve-icon Vulnrichment

Updated: 2026-07-16T12:56:50.559Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-15T22:00:06Z