CVE-2026-39350
published 2026-04-15CVE-2026-39350: Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the…
PriorityP430medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.21%
11.1th percentile
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| istio.io | istio | >= 0.0.0-20241024090207-0bf27d49ba4b < 0.0.0-20260403004500-692e460c342d | 0.0.0-20260403004500-692e460c342d |
| istio | istio | — | — |
| istio | istio | — | — |
| istio | istio | — | — |
| istio | istio | >= 1.25.0 < 1.27.9 | 1.27.9 |
| istio | istio | >= 1.28.0 < 1.28.6 | 1.28.6 |
| istio | istio | >= 1.29.0 < 1.29.2 | 1.29.2 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names
vendor_redhat·2026-04-15·CVSS 5.4
CVE-2026-39350 [MEDIUM] CWE-625 Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names
Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names
A flaw was found in Istio, an open platform designed to connect, manage, and secure microservices. The serviceAccounts and notServiceAccounts fields within Istio's AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. This vulnerability allows an attacker to craft service account names that can bypass intended authorization rules. As a result, an ALLOW policy may grant access to unauthorized service accounts, or a DENY policy may fail to block malicious variants, potentially leading to unauthorized access or information disclosure.
Statement: This vulnerability in Istio's AuthorizationPolicy allows for authorization bypass due to incorrect
VulDB
Istio up to 1.27.8/1.28.5/1.29.1 notServiceAccounts incorrect regex (GHSA-9gcg-w975-3rjh)
vuldb·2026-04-16·CVSS 5.4
CVE-2026-39350 [MEDIUM] Istio up to 1.27.8/1.28.5/1.29.1 notServiceAccounts incorrect regex (GHSA-9gcg-w975-3rjh)
A vulnerability labeled as critical has been found in Istio up to 1.27.8/1.28.5/1.29.1. Affected by this issue is some unknown functionality. The manipulation of the argument notServiceAccounts results in incorrect regular expression.
This vulnerability is cataloged as CVE-2026-39350. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots
ghsa·2026-04-16
CVE-2026-39350 [MEDIUM] CWE-185 Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots
Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots
### Impact
The `serviceAccounts` and `notServiceAccounts` fields in AuthorizationPolicy incorrectly interpret dots (`.`) as a regular expression matcher. Because `.` is a valid character in a service account name, an `AuthorizationPolicy` ALLOW rule targeting SA e.g. `cert-manager.io` also matches `cert-manager-io`, `cert-managerXio`, etc. A DENY rule targeting the same name fails to block those variants.
### Patches
Fixes are available in 1.29.2, 1.28.6, and 1.27.9
### Workarounds
None
No detection rules found.
No public exploits indexed.
2026-04-15
Published