CVE-2026-39350 - Vulnerability Details

- Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Published: 2026-04-15

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An Istio AuthorizationPolicy bug causes serviceAccounts fields to misinterpret periods as regular expression metacharacters, allowing names such as cert‑manager.io to match cert‑manager-io, cert‑managerXio, etc. A policy that permits access to the intended account therefore becomes broadly permissive, while an equivalent DENY rule fails to block the variants. This flaw can be exploited to bypass access controls for any service account that contains dots, undermining confidentiality and integrity of services.

Affected Systems

Vendors: Istio. Product: Istio. Affected versions include 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. Fixed releases are 1.27.9, 1.28.6, and 1.29.2. Systems running any of the listed versions are vulnerable until updated.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity, and there is no EPSS score available. It is not currently listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to create or modify AuthorizationPolicies. An attacker who can inject a malformed service account name or adjust a policy can gain unintended access, potentially escalating privileges within the mesh.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

istio

affected

Version	Status	Constraints
`>= 1.25.0, < < 1.27.9`	affected	—
`>= 1.28.0, < 1.28.6`	affected	—
`>= 1.29.0, < 1.29.2`	affected	—

No data.

Vendor Product Confidence Versions

Istio

100%

Version	Status	Scheme	Platform
`[1.25.0,1.27.9)`	affected	semver	—
`[1.28.0,1.28.6)`	affected	semver	—
`[1.29.0,1.29.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Istio to a patched release, such as 1.27.9, 1.28.6, or 1.29.2.
Review all AuthorizationPolicies that target service accounts containing periods and adjust them to avoid unintended regex matching; consider escaping dots or tightening allow lists.
If an upgrade cannot be performed immediately, temporarily disable or remove any policies that target service accounts with periods until the fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 02:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh

History

Thu, 16 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Apr 2026 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Istio Istio istio
Vendors & Products		Istio Istio istio

Wed, 15 Apr 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
Title		Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass
Weaknesses		CWE-185 CWE-863
References		https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Istio Istio

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-15T22:42:24.216Z

Updated: 2026-04-16T12:04:54.038Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39350

Vulnrichment

Updated: 2026-04-16T11:13:57.554Z

NVD

Status : Received

Published: 2026-04-15T23:16:09.477

Modified: 2026-04-15T23:16:09.477

Link: CVE-2026-39350

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T02:30:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object