Description
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Published: 2026-03-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Credentials Exposure
Action: Patch Immediately
AI Analysis

Impact

The Istio service mesh contains a flaw in its JWT Web Key Set (JWKS) resolver. When the resolver is unable to fetch the key set from the configured provider, it falls back to hard‑coded default data that includes private key material. An attacker who can trigger a fetch failure and access the fallback output could obtain these private keys, thereby compromising the confidentiality of the service mesh and potentially enabling credential theft or impersonation. This bug is a form of information disclosure (CWE‑200) and is exacerbated by the fact that it can occur even when a RequestAuthentication resource is in place.

Affected Systems

The affected vendor is Istio, the product Istio, and all releases prior to 1.29.1, 1.28.5, and 1.27.8 are impacted. In other words, any Istio 1.28.x series before 1.28.5, any 1.27.x series before 1.27.8, and any 1.29.x series before 1.29.1 are vulnerable. Upgrading to the fixed releases or any newer version resolves the issue.

Risk and Exploitability

The CVSS vector scores this vulnerability at 8.7, marking it as high severity. The EPSS score is less than 1 %, indicating that the likelihood of exploitation in the wild is low, and the flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. However, the potential exposure of hard‑coded private keys makes the impact severe enough that it should be mitigated even if the probability is low. The likely attack vector is an environment that can force the JWKS resolver to fail—such as a network partition, misconfigured key provider, or denial‑of‑service attempt—after which the fallback data can be read by any component involved in processing the authentication flow. Because the flaw is triggered by a failure condition, it is important to confirm that proper error handling and monitoring are in place.

Generated by OpenCVE AI on April 16, 2026 at 03:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Istio to version 1.29.1, 1.28.5, or 1.27.8, or any newer release that contains the fix.
  • Verify that the JWKS endpoint for your identity provider is reachable and returning valid keys; validate that the fallback mechanism does not expose sensitive data.
  • Implement monitoring for JWKS fetch failures and enforce strict access controls on the JWKS resolver configuration to limit exposure of default data.

Generated by OpenCVE AI on April 16, 2026 at 03:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1392
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Istio
Istio istio
Vendors & Products Istio
Istio istio

Tue, 10 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Title Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Istio Istio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:58:29.647Z

Reserved: 2026-03-09T17:41:56.078Z

Link: CVE-2026-31837

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:26.857Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:21.720

Modified: 2026-03-18T18:59:40.970

Link: CVE-2026-31837

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-10T21:57:44Z

Links: CVE-2026-31837 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses