{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39350", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.394Z", "datePublished": "2026-04-15T22:42:24.216Z", "dateUpdated": "2026-04-15T22:42:24.216Z"}, "containers": {"cna": {"title": "Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh"}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"version": ">= 1.25.0, < < 1.27.9", "status": "affected"}, {"version": ">= 1.28.0, < 1.28.6", "status": "affected"}, {"version": ">= 1.29.0, < 1.29.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T22:42:24.216Z"}, "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "source": {"advisory": "GHSA-9gcg-w975-3rjh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "id": "CVE-2026-39350", "lastModified": "2026-04-15T23:16:09.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T23:16:09.477", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.25.0,1.27.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.28.0,1.28.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "istio", "source": "cna", "vendor": "istio"}, "product": "istio", "vendor": "istio"}], "analysis": {"en": {"generated_at": "2026-04-16T02:16:27.063567+00:00", "value": {"mitigation_remediation": ["Upgrade Istio to a patched release, such as 1.27.9, 1.28.6, or 1.29.2.", "Review all AuthorizationPolicies that target service accounts containing periods and adjust them to avoid unintended regex matching; consider escaping dots or tightening allow lists.", "If an upgrade cannot be performed immediately, temporarily disable or remove any policies that target service accounts with periods until the fix is applied."], "summary": {"action": "Patch Now", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Vendors: Istio. Product: Istio. Affected versions include 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. Fixed releases are 1.27.9, 1.28.6, and 1.29.2. Systems running any of the listed versions are vulnerable until updated.", "description_and_impact": "An Istio AuthorizationPolicy bug causes serviceAccounts fields to misinterpret periods as regular expression metacharacters, allowing names such as cert\u2011manager.io to match cert\u2011manager-io, cert\u2011managerXio, etc. A policy that permits access to the intended account therefore becomes broadly permissive, while an equivalent DENY rule fails to block the variants. This flaw can be exploited to bypass access controls for any service account that contains dots, undermining confidentiality and integrity of services.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.4, indicating moderate severity, and there is no EPSS score available. It is not currently listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to create or modify AuthorizationPolicies. An attacker who can inject a malformed service account name or adjust a policy can gain unintended access, potentially escalating privileges within the mesh."}}}}, "created": "2026-04-16T00:30:18.769641+00:00", "updated": "2026-04-16T02:30:21.675416+00:00", "vendors": ["istio", "istio$PRODUCT$istio"]}