Platform
go
Component
istio
Fixed in
1.25.1
1.28.1
1.29.1
0.0.0-20260403004500-692e460c342d
CVE-2026-39350 describes a vulnerability in Istio where the serviceAccounts and notServiceAccounts fields within AuthorizationPolicy are incorrectly interpreted. This misinterpretation stems from treating dots (.) as regular expression matchers, allowing attackers to bypass intended access controls. The vulnerability impacts Istio versions 1.25.0 through 1.29.0 (excluding 1.29.2) and is addressed in versions 1.29.2, 1.28.6, and 1.27.9.
This vulnerability allows an attacker to bypass authorization policies within an Istio service mesh. Because the dot (.) is treated as a regular expression metacharacter, an AuthorizationPolicy ALLOW rule targeting a service account like cert-manager.io will inadvertently match variations such as cert-manager-io and cert-managerXio. Conversely, a DENY rule targeting the same service account will fail to block these variations, effectively granting unauthorized access. This can lead to sensitive data exposure, privilege escalation, and potentially complete compromise of services protected by the Istio mesh. The blast radius extends to any service relying on Istio's authorization policies for access control.
CVE-2026-39350 was publicly disclosed on April 15, 2026. There is no indication of active exploitation at this time. The vulnerability's impact is dependent on the configuration of Istio AuthorizationPolicies, making it less likely to be a widespread issue. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39350 is to upgrade to a patched version of Istio. Specifically, upgrade to version 1.29.2, 1.28.6, or 1.27.9. Unfortunately, no workarounds are available to address this vulnerability without upgrading. Rolling back to a previous version is not recommended as it may introduce other security risks. After upgrading, verify the proper functioning of your AuthorizationPolicies by testing access control for various service accounts, including those with dots in their names, to ensure the vulnerability is effectively mitigated.
Update Istio to version 1.29.2, 1.28.6, or 1.27.9 to mitigate the vulnerability. This update corrects an error in the handling of dots in the serviceAccounts fields of AuthorizationPolicy, preventing authorization policy bypass.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39350 is a medium-severity vulnerability in Istio where incorrect regex interpretation in AuthorizationPolicy allows unauthorized access due to dots being treated as regex characters.
You are affected if you are running Istio versions 1.25.0–>= 1.29.0, < 1.29.2. Check your Istio version and upgrade if necessary.
Upgrade to Istio version 1.29.2, 1.28.6, or 1.27.9. No workarounds are available.
There is currently no indication of active exploitation of CVE-2026-39350.
Refer to the Istio project's official security advisories for detailed information and updates: [https://istio.io/latest/docs/security/](https://istio.io/latest/docs/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.