CVE-2026-39350

MEDIUM

Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass

Title source: cna

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

References (1)

[X_Refsource_Confirm] https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-185 CWE-863

Status published

Products (5)

istio/istio 1.25.0 - 1.27.9

istio/istio >= 1.25.0, < < 1.27.9

istio/istio >= 1.28.0, < 1.28.6

istio/istio >= 1.29.0, < 1.29.2

istio.io/istio 0.0.0-20241024090207-0bf27d49ba4b - 0.0.0-20260403004500-692e460c342dGo

Published Apr 15, 2026

Tracked Since Apr 16, 2026