216.73.216.6

CVE-2026-39350

· Published 15/04/2026 23:16 · Modified 15/04/2026 23:16

Labels: CVE-2026-39350 2026-04-15CVE-2026-39350CWE-185[email protected]

Essential information

Published
15/04/2026 23:16
Modified
15/04/2026 23:16
Author
Creator
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
istio / istio cpe:2.3:a:istio:istio:1.25.0-1.27.8:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.28.0-1.28.5:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.29.0:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.29.1:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.29.2:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.28.6:*:*:*:*:*:*:*
istio / istio cpe:2.3:a:istio:istio:1.27.9:*:*:*:*:*:*:*

References