CVE-2026-56743 Overview
CVE-2026-56743 is an authorization flaw [CWE-863] in Cilium, an open-source networking, observability, and security solution for Kubernetes. Versions 1.19.0 through 1.19.4 mishandle standard Kubernetes NetworkPolicy specifications that use CIDR-based ipBlock rules without pod or namespace selectors. When Cilium runs with a custom clusterName instead of the default any, the policy parser incorrectly generates a wildcard namespace allow rule. This causes traffic from other workloads in the same namespace as the policy subject to be permitted, contradicting the intended isolation. The issue is fixed in Cilium version 1.19.5.
Critical Impact
Selectorless ipBlock NetworkPolicies silently allow lateral traffic from adjacent workloads in the same namespace, undermining Kubernetes network segmentation guarantees.
Affected Products
- Cilium 1.19.0
- Cilium 1.19.1 through 1.19.3
- Cilium 1.19.4
Discovery Timeline
- 2026-07-15 - CVE-2026-56743 published to the National Vulnerability Database (NVD)
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-56743
Vulnerability Analysis
Cilium translates Kubernetes NetworkPolicy objects into its own internal policy representation. The parser in pkg/k8s/network_policy.go processes each NetworkPolicyPeer entry defined in ingress.from or egress.to. When a peer uses only an ipBlock field, both PodSelector and NamespaceSelector are nil, and the parser is expected to return no selector-based match. Instead, the parser instantiates an empty pod selector, which Cilium interprets as a wildcard match against all pods in the same namespace as the policy target. The bug only surfaces when the clusterName configuration option is set to a non-default value, because the code path that constructs namespace-scoped selectors branches on the cluster identity.
Root Cause
The root cause is missing input validation on selectorless peer definitions inside parseNetworkPolicyPeer. The function did not reject peers where both PodSelector and NamespaceSelector were nil, so an implicit empty selector was created and expanded to match every pod within the policy namespace.
Attack Vector
An attacker who controls a workload in the same namespace as a target pod can send traffic to that pod even when the applied NetworkPolicy restricts ingress to an unrelated CIDR range. Exploitation requires local network adjacency inside the cluster and low privileges consistent with running a pod in that namespace.
// Security patch in pkg/k8s/network_policy.go
// fix: Fix wildcard namespace bypass for selectorless ipBlock rules
func parseNetworkPolicyPeer(clusterName, namespace string, peer *slim_networkingv1.NetworkPolicyPeer) types.Selector {
- if peer == nil {
+ if peer == nil || (peer.PodSelector == nil && peer.NamespaceSelector == nil) {
return nil
}
Source: Cilium Commit bacea64
The patch adds an explicit nil check for both selectors. When both are absent, the function returns nil, preventing generation of the wildcard namespace rule.
Detection Methods for CVE-2026-56743
Indicators of Compromise
- Cilium agent running versions 1.19.0 through 1.19.4 with a non-default cluster-name configuration value.
- NetworkPolicy objects that declare ipBlock peers without accompanying podSelector or namespaceSelector fields.
- Unexpected in-namespace pod-to-pod flows observed in Hubble or cluster flow logs that should have been denied by an active policy.
Detection Strategies
- Audit all NetworkPolicy resources across the cluster and flag rules where from or to peers contain only an ipBlock field.
- Correlate Cilium agent configuration (cluster-name) with the running version to identify affected clusters.
- Compare intended policy semantics with actual allowed flows using Hubble observability data to reveal namespace-wide allowances.
Monitoring Recommendations
- Enable Hubble flow logging and alert on ingress or egress connections that traverse pods sharing a namespace with a restrictive policy target.
- Track Kubernetes admission events for NetworkPolicy creation and modification, focusing on selectorless ipBlock patterns.
- Forward Cilium and Kubernetes audit logs to a centralized analytics platform for continued review after upgrading.
How to Mitigate CVE-2026-56743
Immediate Actions Required
- Upgrade Cilium to version 1.19.5 or later on all clusters using a custom clusterName.
- Inventory existing NetworkPolicy objects and identify those using CIDR-only ipBlock peers without selectors.
- Validate policy behavior post-upgrade using connectivity tests between workloads in shared namespaces.
Patch Information
The fix is delivered in Cilium Release v1.19.5. The change is implemented across Cilium Pull Request #46305 and Cilium Pull Request #46456, with the core code change in Cilium Commit bacea64 and Cilium Commit 1c84ae3. Full details are available in GitHub Security Advisory GHSA-fm8w-2m5w-9j7r.
Workarounds
- Rewrite affected policies to include an explicit podSelector: {} or namespaceSelector: {} alongside the ipBlock peer to force deterministic selector evaluation.
- Revert the Cilium cluster-name setting to the default any value where operationally feasible, which avoids the vulnerable code path.
- Apply defense-in-depth policies that deny intra-namespace traffic by default until the upgrade is completed.
# Verify Cilium version and cluster-name configuration
kubectl -n kube-system exec ds/cilium -- cilium version
kubectl -n kube-system get configmap cilium-config -o jsonpath='{.data.cluster-name}'
# Upgrade Cilium via Helm to the fixed release
helm upgrade cilium cilium/cilium \
--namespace kube-system \
--version 1.19.5 \
--reuse-values
# Identify NetworkPolicies with selectorless ipBlock peers
kubectl get networkpolicy -A -o json | \
jq '.items[] | select(.spec.ingress[]?.from[]? | (has("ipBlock") and (has("podSelector")|not) and (has("namespaceSelector")|not)))'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

