CVE-2026-31838

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/istio/istio/commit/004fd6921314a8e2293fd195d91645dcbbff0aa1
https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:istio:istio::::::::
	cpe:2.3:a:istio:istio::::::::
	cpe:2.3:a:istio:istio::::::::

History

07 Apr 2026, 03:16

Type	Values Removed	Values Added
References		() https://github.com/istio/istio/commit/004fd6921314a8e2293fd195d91645dcbbff0aa1 -

18 Mar 2026, 18:58

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Istio istio Istio
References	~~() https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww -~~	() https://github.com/istio/istio/security/advisories/GHSA-974c-2wxh-g4ww - Vendor Advisory
CPE		cpe:2.3:a:istio:istio::::::::

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) Istio es una plataforma abierta para conectar, gestionar y proteger microservicios. Antes de 1.29.1, 1.28.5 y 1.27.8, una vulnerabilidad en la coincidencia de encabezados RBAC de Envoy podría permitir la omisión de la política de autorización cuando las políticas dependen de encabezados HTTP que pueden contener múltiples valores. Un atacante podría elaborar solicitudes con múltiples valores de encabezado de una manera que hace que Envoy evalúe el encabezado de forma diferente a lo previsto, potencialmente omitiendo las comprobaciones de autorización. Esto podría permitir que solicitudes no autorizadas lleguen a servicios protegidos cuando las políticas dependen de tales condiciones de coincidencia basadas en encabezados. Esta vulnerabilidad está corregida en 1.29.1, 1.28.5 y 1.27.8.

10 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 22:16

Updated : 2026-04-07 03:16

NVD link : CVE-2026-31838

Mitre link : CVE-2026-31838

CVE.ORG link : CVE-2026-31838

JSON object : View

Products Affected

istio

istio

CWE

CWE-863

Incorrect Authorization

5.3 /10