CVE-2026-31837
Modified
Modified - Updated After Analysis
JWKS Resolver Failure in Istio Exposes Hardcoded Credentials
Vulnerability report for CVE-2026-31837, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-10
Last updated on: 2026-06-30
Assigner: GitHub, Inc.
Description
Description
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| istio | istio | to 1.27.8 (exc) |
| istio | istio | From 1.28.0 (inc) to 1.28.5 (exc) |
| istio | istio | From 1.29.0 (inc) to 1.29.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |