Unauthenticated HTTP GET Request in Istio's RequestAuthentication Resource
CVE-2026-41413

5MEDIUM

Key Information:

Vendor

Istio

Status
Istio
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41413?

Istio, an open platform designed for connecting and securing microservices, has a vulnerability related to the RequestAuthentication resource. When configured with a jwksUri that points to an internal service, istiod performs an unauthenticated HTTP GET request to that URL without properly filtering out localhost or link-local IP addresses. This oversight can potentially lead to sensitive information being leaked to Envoy proxies through xDS configuration mechanisms. This issue was rectified in versions 1.28.6 and 1.29.2, emphasizing the importance of updating to these patched releases.

Affected Version(s)

istio < 1.28.6 < 1.28.6

istio >= 1.29.0-alpha.0, < 1.29.2 < 1.29.0-alpha.0, 1.29.2

References

https://github.com/istio/istio/security/advisories/GHSA-f...
x_refsource_CONFIRM
https://github.com/istio/istio/releases/tag/1.28.6
x_refsource_MISC
https://github.com/istio/istio/releases/tag/1.29.2
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.