Description
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
Published: 2026-04-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

An Istio AuthorizationPolicy bug causes serviceAccounts fields to misinterpret periods as regular expression metacharacters, allowing names such as cert-manager.io to match cert-manager-io, cert-managerXio, etc. A policy that permits access to the intended account therefore becomes broadly permissive, while an equivalent DENY rule fails to block the variants. This flaw can be exploited to bypass access controls for any service account that contains dots, undermining confidentiality and integrity of services.

Affected Systems

Vendors: Istio. Product: Istio. Affected versions include 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. Fixed releases are 1.27.9, 1.28.6, and 1.29.2. Systems running any of the listed versions are vulnerable until updated.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity, and an EPSS score of 0.00025. It is not currently listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to create or modify AuthorizationPolicies. An attacker who can inject a malformed service account name or adjust a policy can gain unintended access, potentially escalating privileges within the mesh.

Generated by OpenCVE AI on April 17, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Istio to a patched release, such as 1.27.9, 1.28.6, or 1.29.2.
  • Review all AuthorizationPolicies that target service accounts containing periods and adjust them to avoid unintended regex matching; consider escaping dots or tightening allow lists.
  • If an upgrade cannot be performed immediately, temporarily disable or remove any policies that target service accounts with periods until the fix is applied.

Generated by OpenCVE AI on April 17, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9gcg-w975-3rjh Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots
History

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-625
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Istio
Istio istio
Vendors & Products Istio
Istio istio

Wed, 15 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
Title Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass
Weaknesses CWE-185
CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Istio Istio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T12:04:54.038Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39350

cve-icon Vulnrichment

Updated: 2026-04-16T11:13:57.554Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T23:16:09.477

Modified: 2026-04-23T20:00:21.180

Link: CVE-2026-39350

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-15T22:42:24Z

Links: CVE-2026-39350 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses