Plateforme
go
Composant
istio
Corrigé dans
1.25.1
1.28.1
1.29.1
0.0.0-20260403004500-692e460c342d
CVE-2026-39350 describes a vulnerability in Istio where the serviceAccounts and notServiceAccounts fields within AuthorizationPolicy are incorrectly interpreted. This misinterpretation stems from treating dots (.) as regular expression matchers, allowing attackers to bypass intended access controls. The vulnerability impacts Istio versions 1.25.0 through 1.29.0 (excluding 1.29.2) and is addressed in versions 1.29.2, 1.28.6, and 1.27.9.
This vulnerability allows an attacker to bypass authorization policies within an Istio service mesh. Because the dot (.) is treated as a regular expression metacharacter, an AuthorizationPolicy ALLOW rule targeting a service account like cert-manager.io will inadvertently match variations such as cert-manager-io and cert-managerXio. Conversely, a DENY rule targeting the same service account will fail to block these variations, effectively granting unauthorized access. This can lead to sensitive data exposure, privilege escalation, and potentially complete compromise of services protected by the Istio mesh. The blast radius extends to any service relying on Istio's authorization policies for access control.
CVE-2026-39350 was publicly disclosed on April 15, 2026. There is no indication of active exploitation at this time. The vulnerability's impact is dependent on the configuration of Istio AuthorizationPolicies, making it less likely to be a widespread issue. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on Istio for service mesh security and employing complex service account naming conventions are particularly at risk. Environments with granular AuthorizationPolicy configurations, especially those using dots in service account names, should prioritize patching.
• linux / server:
journalctl -u istiod | grep -i "authorizationpolicy" -A 10• generic web:
curl -I <istio-ingress-gateway-url>/authorizationdisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 1%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-39350 is to upgrade to a patched version of Istio. Specifically, upgrade to version 1.29.2, 1.28.6, or 1.27.9. Unfortunately, no workarounds are available to address this vulnerability without upgrading. Rolling back to a previous version is not recommended as it may introduce other security risks. After upgrading, verify the proper functioning of your AuthorizationPolicies by testing access control for various service accounts, including those with dots in their names, to ensure the vulnerability is effectively mitigated.
Actualice Istio a la versión 1.29.2, 1.28.6 o 1.27.9 para mitigar la vulnerabilidad. Esta actualización corrige un error en el manejo de puntos en los campos serviceAccounts de AuthorizationPolicy, previniendo el bypass de políticas de autorización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-39350 is a medium-severity vulnerability in Istio where incorrect regex interpretation in AuthorizationPolicy allows unauthorized access due to dots being treated as regex characters.
You are affected if you are running Istio versions 1.25.0–>= 1.29.0, < 1.29.2. Check your Istio version and upgrade if necessary.
Upgrade to Istio version 1.29.2, 1.28.6, or 1.27.9. No workarounds are available.
There is currently no indication of active exploitation of CVE-2026-39350.
Refer to the Istio project's official security advisories for detailed information and updates: [https://istio.io/latest/docs/security/](https://istio.io/latest/docs/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.