Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields...

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Basic Information

ID CVE-2026-39350

Source GitHub_M

Published Apr 15, 2026 at 22:42

Affected Product

Vendor istio

Product istio

Version >= 1.25.0, < < 1.27.9

Affected Versions istio istio >= 1.25.0, < < 1.27.9
istio istio >= 1.28.0, < 1.28.6
istio istio >= 1.29.0, < 1.29.2

CWE Classification

CWE-185 CWE-863

References

github.com /istio/istio/security/advisories/GHSA-9gcg-w975-3rjh

{
    "lastseen": "",
    "description": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.",
    "published": "2026-04-15T22:42:24.216Z",
    "modified": "2026-04-15T22:42:24.216Z",
    "type": "cve",
    "title": "Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh",
    "id": "CVE-2026-39350",
    "bulletinFamily": "",
    "cwe": [
        "CWE-185",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "istio istio >= 1.25.0, < < 1.27.9\nistio istio >= 1.28.0, < 1.28.6\nistio istio >= 1.29.0, < 1.29.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "istio",
    "version": ">= 1.25.0, < < 1.27.9",
    "vendor": "istio",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass_CVE-2026-39350