Affected by GO-2025-3415
and 7 other vulnerabilities
GO-2025-3415: DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium
GO-2025-3416: Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium
GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium
GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium
GO-2026-4856: Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic in github.com/cilium/cilium
GO-2026-5400: Cillium exposes sensitive information included in the cilium-bugtool debug archive in github.com/cilium/cilium
GO-2026-5905: Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access in github.com/cilium/cilium
GO-2026-5914: CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation in github.com/cilium/cilium
Package auth provides routines to manage mutual authentication identities in Cilium.
If enabled, the operator will watch for CiliumIdentity resources and provision
corresponding external identities such as SPIFFE identities.