{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39350", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.394Z", "datePublished": "2026-04-15T22:42:24.216Z", "dateUpdated": "2026-04-16T12:04:54.038Z"}, "containers": {"cna": {"title": "Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh"}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"version": ">= 1.25.0, < < 1.27.9", "status": "affected"}, {"version": ">= 1.28.0, < 1.28.6", "status": "affected"}, {"version": ">= 1.29.0, < 1.29.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T22:42:24.216Z"}, "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "source": {"advisory": "GHSA-9gcg-w975-3rjh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:13:51.307915Z", "id": "CVE-2026-39350", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:04:54.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T11:13:51.307915Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:13:57.554Z"}}], "cna": {"title": "Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass", "source": {"advisory": "GHSA-9gcg-w975-3rjh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"status": "affected", "version": ">= 1.25.0, < < 1.27.9"}, {"status": "affected", "version": ">= 1.28.0, < 1.28.6"}, {"status": "affected", "version": ">= 1.29.0, < 1.29.2"}]}], "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "name": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-185", "description": "CWE-185: Incorrect Regular Expression"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T22:42:24.216Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39350", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:04:54.038Z", "dateReserved": "2026-04-06T20:28:38.394Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T22:42:24.216Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9."}], "id": "CVE-2026-39350", "lastModified": "2026-04-15T23:16:09.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T23:16:09.477", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-185"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names", "id": "2458851", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458851"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-625", "details": ["A flaw was found in Istio, an open platform designed to connect, manage, and secure microservices. The serviceAccounts and notServiceAccounts fields within Istio's AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. This vulnerability allows an attacker to craft service account names that can bypass intended authorization rules. As a result, an ALLOW policy may grant access to unauthorized service accounts, or a DENY policy may fail to block malicious variants, potentially leading to unauthorized access or information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-39350", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-proxyv2-rhel9", "product_name": "OpenShift Service Mesh 3"}], "public_date": "2026-04-15T22:42:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39350\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39350\nhttps://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh"], "statement": "This vulnerability in Istio's AuthorizationPolicy allows for authorization bypass due to incorrect interpretation of dots in service account names. This can lead to unintended access grants or failures in blocking unauthorized service accounts. In Istio service account names may have the '.' character however the AuthorizationPolicy always interpret the '.' as in a regular expression, meaning it'll match any character between the two letters before and after the dot character.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.25.0,1.27.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.28.0,1.28.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "istio", "source": "cna", "vendor": "istio"}, "product": "istio", "vendor": "istio"}], "analysis": {"en": {"generated_at": "2026-04-17T06:26:04.854126+00:00", "value": {"mitigation_remediation": ["Upgrade Istio to a patched release, such as 1.27.9, 1.28.6, or 1.29.2.", "Review all AuthorizationPolicies that target service accounts containing periods and adjust them to avoid unintended regex matching; consider escaping dots or tightening allow lists.", "If an upgrade cannot be performed immediately, temporarily disable or remove any policies that target service accounts with periods until the fix is applied."], "summary": {"action": "Patch Now", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "Vendors: Istio. Product: Istio. Affected versions include 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1. Fixed releases are 1.27.9, 1.28.6, and 1.29.2. Systems running any of the listed versions are vulnerable until updated.", "description_and_impact": "An Istio AuthorizationPolicy bug causes serviceAccounts fields to misinterpret periods as regular expression metacharacters, allowing names such as cert-manager.io to match cert-manager-io, cert-managerXio, etc. A policy that permits access to the intended account therefore becomes broadly permissive, while an equivalent DENY rule fails to block the variants. This flaw can be exploited to bypass access controls for any service account that contains dots, undermining confidentiality and integrity of services.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.4, indicating moderate severity, and an EPSS score of 0.00025. It is not currently listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to create or modify AuthorizationPolicies. An attacker who can inject a malformed service account name or adjust a policy can gain unintended access, potentially escalating privileges within the mesh."}}}}, "created": "2026-04-16T00:30:18.769641+00:00", "updated": "2026-04-17T06:30:11.607777+00:00", "vendors": ["istio", "istio$PRODUCT$istio"]}