Description
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to version 1.13.4, when Gateway API is enabled in Cilium, the absence of a check on the namespace in which a ReferenceGrant is created could result in Cilium unintentionally gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can leverage this issue to use cluster secrets that should not be visible to them, or communicate with services that they should not have access to. Gateway API functionality is disabled by default. This vulnerability is fixed in Cilium release 1.13.4. As a workaround, restrict the creation of `ReferenceGrant` resources to admin users by using Kubernetes RBAC.
Details
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| cilium | — | — |
| cilium-operator | — | — |
| cilium-proxy | — | — |
| github.com/cilium/cilium | — | — |
| hubble | — | — |
| hubble-relay | — | — |
| hubble-ui | — | — |
| hubble-ui-backend | — | — |
References
Similar Threats
- Unknown CLEANSTART-2026-BR79647
- Unknown CLEANSTART-2026-GB36430
- Unknown CLEANSTART-2026-QR52625
- High CVE-2024-28860
- High CVE-2024-28248
Free Vulnerability Check
Is your WordPress site affected?
BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.
Scan My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.