ISTIO-SECURITY-2026-003
Istio security fixes for authorization bypass and SSRF.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2026-39350 CVE-2026-XXXXX |
| CVSS Impact Score | 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Affected Releases | 1.29.0 to 1.29.1 1.28.0 to 1.28.5 |
CVE
Istio CVEs
CVE-2026-39350 / GHSA-9gcg-w975-3rjh: (CVSS score 5.4, Moderate):
AuthorizationPolicyserviceAccountsregex injection via unescaped dots. Reported by Wernerina.CVE-2026-41413 / GHSA-fgw5-hp8f-xfhc: (CVSS score 5.0, Moderate): SSRF via
RequestAuthenticationjwksUri. Reported by KoreaSecurity, 1seal, AKiileX.
Am I Impacted?
All users running affected Istio versions are potentially impacted:
The Authorization Bypass impact is relevant if you use
AuthorizationPolicyresources that specifyserviceAccountscontaining dots. An attacker could bypass anALLOWpolicy or slip through aDENYpolicy by using a service account with a name that exploits the regex wildcard interpretation.The SSRF impact is relevant if you allow users or automated systems to create
RequestAuthenticationresources. An attacker could provide ajwksUrithat points to internal metadata services or local host ports, potentially leaking sensitive internal data to the control plane via xDS configuration.
Mitigation
- For Istio 1.29 users: Upgrade to 1.29.2 or later.
- For Istio 1.28 users: Upgrade to 1.28.6 or later.