CVE-2026-39350Incorrect Regular Expression in Istio

CWE-185Incorrect Regular ExpressionCWE-863Incorrect AuthorizationCWE-625Permissive Regular Expression5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 93.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Istio.io IstioIstio
Timeline
PublishedApr 15
Latest updateApr 16

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targe

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

Goistio.io/istio0.0.0-20241024090207-0bf27d49ba4b0.0.0-20260403004500-692e460c342d
CVEListV5istio/istio>= 1.25.0, < < 1.27.9, >= 1.28.0, < 1.28.6, >= 1.29.0, < 1.29.2+2

🔴Vulnerability Details

2
VulDB
Istio up to 1.27.8/1.28.5/1.29.1 notServiceAccounts incorrect regex (GHSA-9gcg-w975-3rjh)2026-04-16
GHSA
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots2026-04-16

📋Vendor Advisories

1
Red Hat
Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names2026-04-15

💬Community

1
Bugzilla
CVE-2026-39350 Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names2026-04-15
CVE-2026-39350 — Incorrect Regular Expression in Istio | cvebase