CVE-2026-39350
Received Received - Intake
Regex Misinterpretation in Istio AuthorizationPolicy Causes Access Bypass

Publication date: 2026-04-15

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39350
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
istio istio From 1.25.0 (inc) to 1.27.9 (exc)
istio istio From 1.28.0 (inc) to 1.28.6 (exc)
istio istio From 1.29.0 (inc) to 1.29.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Istio versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. It involves the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy, which incorrectly interpret the dot character (.) as a regular expression matcher.

Since a dot is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account like cert-manager.io will also match unintended variants such as cert-manager-io or cert-managerXio. Similarly, a DENY rule targeting the same name will fail to block those variants.

This means that policies intended to allow or deny specific service accounts may not work as expected due to this misinterpretation of the dot character.

Impact Analysis

This vulnerability can lead to unintended access permissions in microservices managed by Istio. An ALLOW rule may grant access to service accounts that should not be allowed, and a DENY rule may fail to block unauthorized service accounts.

As a result, unauthorized service accounts could gain access to resources or services they should not have, potentially leading to information disclosure or unauthorized actions within the microservices environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Istio to one of the fixed versions: 1.27.9, 1.28.6, or 1.29.2.

This will ensure that the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy correctly interpret dots (.) in service account names, preventing unintended matches and enforcement failures.

Compliance Impact

This vulnerability in Istio's AuthorizationPolicy allows ALLOW rules targeting specific service accounts to incorrectly match unintended service accounts due to improper interpretation of dots (.) as regular expression matchers. Consequently, DENY rules may fail to block unauthorized service accounts.

Such misconfigurations could potentially lead to unauthorized access or failure to properly restrict access to microservices, which may impact the enforcement of security controls required by standards like GDPR or HIPAA that mandate strict access controls and protection of sensitive data.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart