CVE-2026-39350

Source
https://cve.org/CVERecord?id=CVE-2026-39350
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39350.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39350
Aliases
Downstream
Related
Published
2026-04-15T22:42:24.216Z
Modified
2026-07-15T01:48:54.937568564Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass
Details

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39350.json",
    "cwe_ids": [
        "CWE-185",
        "CWE-863"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": ">= 1.25.0, < < 1.27.9"
                },
                {
                    "last_affected": ">= 1.25.0, < < 1.27.9"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/istio/istio

Affected ranges

Type
GIT
Repo
https://github.com/istio/istio
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.25.0"
        },
        {
            "fixed": "1.27.9"
        },
        {
            "introduced": "1.28.0"
        },
        {
            "fixed": "1.28.6"
        },
        {
            "introduced": "1.29.0"
        },
        {
            "fixed": "1.29.2"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*"
}

Affected versions

1.*
1.28.0
1.28.0-rc.1
1.28.2
1.28.3
1.28.4
1.29.0
1.29.0-rc.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39350.json"