CVE-2026-39350
Description
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
istio.io/istioGo | >= 0.0.0-20241024090207-0bf27d49ba4b, < 0.0.0-20260403004500-692e460c342d | 0.0.0-20260403004500-692e460c342d |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/cert-manager-istio-csrpkg:apk/chainguard/cert-manager-istio-csr-fipspkg:apk/wolfi/cert-manager-istio-csrpkg:golang/istio.io/istio
< 0.16.0-r6+ 3 more
- (no CPE)range: < 0.16.0-r6
- (no CPE)range: < 0.16.0-r6
- (no CPE)range: < 0.16.0-r6
- (no CPE)range: >= 0.0.0-20241024090207-0bf27d49ba4b, < 0.0.0-20260403004500-692e460c342d
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.