CVE-2026-39350

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:istio:istio::::::::
	cpe:2.3:a:istio:istio::::::::
	cpe:2.3:a:istio:istio::::::::

History

23 Apr 2026, 20:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:istio:istio::::::::
References	~~() https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh -~~	() https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh - Vendor Advisory
First Time		Istio istio Istio

15 Apr 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-15 23:16

Updated : 2026-04-23 20:00

NVD link : CVE-2026-39350

Mitre link : CVE-2026-39350

CVE.ORG link : CVE-2026-39350

JSON object : View

Products Affected

istio

istio

CWE

CWE-185

Incorrect Regular Expression

CWE-863

Incorrect Authorization

{"id": "CVE-2026-39350", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-04-15T23:16:09.477", "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "lastModified": "2026-04-23T20:00:21.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEC41C44-C2B8-42E4-9A2B-DAA309E836E1", "versionEndExcluding": "1.27.9", "versionStartIncluding": "1.25.0"}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A1736F0-437F-42AB-B244-0AAC18CD1719", "versionEndExcluding": "1.28.6", "versionStartIncluding": "1.28.0"}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60B7D5B0-B748-4C22-A4B3-63D25E78F061", "versionEndExcluding": "1.29.2", "versionStartIncluding": "1.29.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}