Authorization Policy Bypass in Istio by Envoy RBAC Header Matching
CVE-2026-31838

6.9MEDIUM

Key Information:

Vendor: Istio
Status: Istio
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31838?

A flaw in Envoy's Role-Based Access Control (RBAC) header matching in Istio allows for an authorization policy bypass, particularly when HTTP headers can have multiple values. Attackers can exploit this vulnerability by crafting specific requests that lead Envoy to misinterpret the intended header values, thereby circumventing established authorization checks. As a result, unauthorized requests may gain access to services that should be protected under the defined authorization policies. This issue has been addressed in Istio versions 1.29.1, 1.28.5, and 1.27.8.

Affected Version(s)

istio >= 1.29.0-alpha.0, < 1.29.1 < 1.29.0-alpha.0, 1.29.1

istio >= 1.28.0-alpha.0, < 1.28.5 < 1.28.0-alpha.0, 1.28.5

istio < 1.27.8 < 1.27.8

References

https://github.com/istio/istio/security/advisories/GHSA-9...

x_refsource_CONFIRM

https://github.com/istio/istio/commit/004fd6921314a8e2293...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31838 Data

JSON