CVE-2026-41413
Information Disclosure in Istio via Unfiltered JWKS Requests
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| istio | istio | 1.28.6 |
| istio | istio | 1.29.2 |
| istio | istio | to 1.29.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41413 is a Server-Side Request Forgery (SSRF) vulnerability in Istio, an open platform for managing microservices. The issue arises when a RequestAuthentication resource is created with a jwksUri pointing to an internal service. Istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link-local IP addresses. This behavior can lead to sensitive data being exposed to Envoy proxies through xDS configuration.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended exposure of sensitive data to Envoy proxies within the service mesh. Because Istiod makes unauthenticated requests to internal URLs without proper filtering, attackers with network access could exploit this to retrieve sensitive information. The CVSS score is 5.0 (Moderate), indicating a low complexity attack that requires low privileges and no user interaction, but it can impact confidentiality and change the security scope.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Istiod making unauthenticated HTTP GET requests to internal services specified by jwksUri in RequestAuthentication resources without filtering localhost or link-local IPs. Detection would involve monitoring Istiod's network requests for suspicious or unexpected HTTP GET calls to internal or localhost addresses.
You can inspect the RequestAuthentication resources in your Istio environment to identify any jwksUri values pointing to internal or localhost addresses.
- Use kubectl to list RequestAuthentication resources and check jwksUri fields: kubectl get requestauthentication --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.spec.jwtRules[*].jwksUri}{"\n"}{end}'
- Monitor Istiod logs for HTTP GET requests to localhost or link-local IPs.
- Use network monitoring tools (e.g., tcpdump, Wireshark) on the Istiod host to capture HTTP GET requests to internal IP ranges.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Istio to versions 1.28.6 or 1.29.2, where the vulnerability has been fully patched.
If immediate upgrade is not possible, deploy a ValidatingAdmissionPolicy to block RequestAuthentication resources with jwksUri values pointing to localhost or link-local IP addresses.
Review and restrict the creation of RequestAuthentication resources to trusted users to prevent malicious jwksUri configurations.