CVE-2026-39350
Regex Misinterpretation in Istio AuthorizationPolicy Causes Access Bypass
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| istio | istio | From 1.25.0 (inc) to 1.27.9 (exc) |
| istio | istio | From 1.28.0 (inc) to 1.28.6 (exc) |
| istio | istio | From 1.29.0 (inc) to 1.29.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-185 | The product specifies a regular expression in a way that causes data to be improperly matched or compared. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Istio's AuthorizationPolicy allows ALLOW rules targeting specific service accounts to incorrectly match unintended service accounts due to improper interpretation of dots (.) as regular expression matchers. Consequently, DENY rules may fail to block unauthorized service accounts.
Such misconfigurations could potentially lead to unauthorized access or failure to properly restrict access to microservices, which may impact the enforcement of security controls required by standards like GDPR or HIPAA that mandate strict access controls and protection of sensitive data.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability affects Istio versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. It involves the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy, which incorrectly interpret the dot character (.) as a regular expression matcher.
Since a dot is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account like cert-manager.io will also match unintended variants such as cert-manager-io or cert-managerXio. Similarly, a DENY rule targeting the same name will fail to block those variants.
This means that policies intended to allow or deny specific service accounts may not work as expected due to this misinterpretation of the dot character.
How can this vulnerability impact me? :
This vulnerability can lead to unintended access permissions in microservices managed by Istio. An ALLOW rule may grant access to service accounts that should not be allowed, and a DENY rule may fail to block unauthorized service accounts.
As a result, unauthorized service accounts could gain access to resources or services they should not have, potentially leading to information disclosure or unauthorized actions within the microservices environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Istio to one of the fixed versions: 1.27.9, 1.28.6, or 1.29.2.
This will ensure that the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy correctly interpret dots (.) in service account names, preventing unintended matches and enforcement failures.