Description
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Published: 2026-03-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass by manipulating HTTP header values
Action: Update Istio version
AI Analysis

Impact

A flaw in Envoy’s RBAC header matching allows an attacker to supply multiple values for a header that a policy relies on, causing Envoy to process the header differently than expected. This flaw can bypass authorization checks that depend on header-based conditions, enabling unauthorized requests to reach protected services. The weakness is rooted in improper handling of multi‑valued headers and results in a loss of confidentiality and integrity for services trusting such policies.

Affected Systems

The issue affects Istio deployments running versions prior to 1.29.1, 1.28.5, and 1.27.8. Any impacted installation that uses Envoy RBAC policies with header matching is susceptible, regardless of the underlying microservices architecture.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating moderate severity, and an EPSS score of less than 1%, showing a low but non‑zero probability of exploitation. It is not listed in CISA’s KEV catalog. Likely exploitation requires the attacker to have network access to the Istio control plane or ingress that can inject requests with crafted headers. Once a request is accepted, the attacker may access services or internal resources that the policy should restrict.

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Istio to 1.29.1, 1.28.5, or 1.27.8, depending on your current release
  • Ensure that any RBAC policies referencing HTTP headers are limited to single‑valued headers or redesigned to avoid relying on header values that could be injected with multiple entries
  • If an immediate upgrade is not possible, temporarily disable or replace any header‑based authorization rules with more robust restrictions, such as source IP or mutual TLS checks

Generated by OpenCVE AI on April 15, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Istio
Istio istio
Vendors & Products Istio
Istio istio

Tue, 10 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Title Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Istio Istio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T02:39:59.774Z

Reserved: 2026-03-09T17:41:56.078Z

Link: CVE-2026-31838

cve-icon Vulnrichment

Updated: 2026-03-11T13:53:25.008Z

cve-icon NVD

Status : Modified

Published: 2026-03-10T22:16:21.870

Modified: 2026-04-07T03:16:07.900

Link: CVE-2026-31838

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-10T21:58:53Z

Links: CVE-2026-31838 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses