Permissive Regular Expression in Istio - CVE-2026-39350
Published: April 20, 2026
Vulnerability identifier: #VU126603
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-39350
CWE-ID: CWE-625
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Istio
Affected software:
Istio
Istio
Detailed vulnerability description
The vulnerability allows a remote user to bypass AuthorizationPolicy matching and disclose sensitive information or modify authorization outcomes.
The vulnerability exists due to improper neutralization of special elements in the serviceAccounts and notServiceAccounts fields of AuthorizationPolicy when evaluating service account names containing dots. A remote user can specify a crafted service account name pattern to bypass AuthorizationPolicy matching and disclose sensitive information or modify authorization outcomes.
An ALLOW rule targeting a service account name such as cert-manager.io may also match unintended variants, while a DENY rule targeting the same name may fail to block those variants.
How to mitigate CVE-2026-39350
Install security update from vendor's website.