CVE-2026-31837

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31837
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31837.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31837
Aliases
  • GHSA-v75c-crr9-733c
Downstream
Published
2026-03-10T21:57:44.387Z
Modified
2026-03-13T11:37:04.357017Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.
Details

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Database specific 
{
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31837.json"
}
References

Affected packages

Git / github.com/istio/istio

Affected ranges

Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
8e673fa60bc4ca5e6fbc2bf2a1553ad3446ff32d
Fixed
6991a379e1fcfbe21e64da2eda5d56624a5547b4
Database specific 
{
    "versions": [
        {
            "introduced": "1.29.0-alpha.0"
        },
        {
            "fixed": "1.29.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
6000d6f4713c022c017f95d2ab8f54aa10b620e3
Fixed
7da6662175184479cb9281f3d814d6994bf1009f
Database specific 
{
    "versions": [
        {
            "introduced": "1.28.0-alpha.0"
        },
        {
            "fixed": "1.28.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/istio/istio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4aee98e195c1af3f5e9385c637050db22d8c41d8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.27.8"
        }
    ]
}

Affected versions

0.*
0.3.0
0.5.0
0.6.0
1.*
1.0.0
1.0.0-snapshot.0
1.0.0-snapshot.1
1.0.0-snapshot.2
1.1.0
1.1.0-rc.0
1.1.0-rc.1
1.1.0-rc.2
1.1.0-rc.3
1.1.0-rc.4
1.1.0-rc.5
1.1.0-rc.6
1.1.0-snapshot.2
1.1.0-snapshot.3
1.1.0-snapshot.4
1.1.0-snapshot.5
1.1.0-snapshot.6
1.1.0.snapshot.0
1.1.0.snapshot.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.12.0-alpha.0
1.12.0-alpha.1
1.12.0-alpha.5
1.18.0-alpha.0
1.19.0-alpha.0
1.19.0-alpha.1
1.2.0-rc.0
1.2.0-rc.3
1.22.0-alpha.1
1.23.0-alpha.0
1.24.0-alpha.0
1.25.0-alpha.0
1.26.0-alpha.0
1.27.0
1.27.0-beta.0
1.27.0-rc.0
1.27.1
1.27.2
1.27.3
1.27.5
1.27.6
1.27.7
1.28.0
1.28.0-alpha.0
1.28.0-beta.0
1.28.0-beta.1
1.28.0-rc.0
1.28.0-rc.1
1.28.2
1.28.3
1.28.4
1.5.0-alpha.0
1.5.0-beta.1
1.5.0-beta.2
1.6.0-alpha.0
1.6.0-alpha.1
1.6.0-alpha.2
1.7.0-alpha.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31837.json"