cbcvebase.
CVE-2026-39350
published 2026-04-15

CVE-2026-39350: Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the…

PriorityP430medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.21%
11.1th percentile
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Affected

7 ranges
VendorProductVersion rangeFixed in
istio.ioistio>= 0.0.0-20241024090207-0bf27d49ba4b < 0.0.0-20260403004500-692e460c342d0.0.0-20260403004500-692e460c342d
istioistio
istioistio
istioistio
istioistio>= 1.25.0 < 1.27.91.27.9
istioistio>= 1.28.0 < 1.28.61.28.6
istioistio>= 1.29.0 < 1.29.21.29.2

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.