CVE-2026-31837

HIGH

Istio <1.29.1/1.28.5/1.27.8 - Auth Bypass

Title source: llm

Description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

References (1)

[Vendor Advisory] https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 14.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (3)

istio/istio < 1.27.8 (2 CPE variants)

istio/istio >= 1.28.0-alpha.0, < 1.28.5

istio/istio >= 1.29.0-alpha.0, < 1.29.1

Published Mar 10, 2026

Tracked Since Mar 11, 2026