Authorization Policy Bypass in Istio by Mistaking Dots in Service Account Names
CVE-2026-39350

5.4MEDIUM

Key Information:

Vendor: Istio
Status: Istio
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-39350?

In Istio versions 1.25.0 to 1.27.8, and 1.28.0 to 1.28.5, an incorrect interpretation of dots (.) in AuthorizationPolicy fields can lead to an access control bypass. Specifically, the serviceAccounts and notServiceAccounts fields treat dots as regular expression matchers. This allows an ALLOW rule for a specific service account name, such as cert-manager.io, to inadvertently match other unintended variants like cert-manager-io or cert-managerXio. Conversely, a DENY rule aimed at the same service account may fail to prevent access for these variants, highlighting a serious security concern in managing microservices. Upgrades to versions 1.29.2, 1.28.6, and 1.27.9 are recommended to mitigate this issue.

Affected Version(s)

istio >= 1.25.0, < < 1.27.9 < 1.25.0, < 1.27.9

istio >= 1.28.0, < 1.28.6 < 1.28.0, 1.28.6

istio >= 1.29.0, < 1.29.2 < 1.29.0, 1.29.2

References

https://github.com/istio/istio/security/advisories/GHSA-9...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39350 Data

JSON