Bug 2467646 (CVE-2026-41413)

Summary: CVE-2026-41413 Istio: Istio: Information disclosure through unauthenticated internal service requests
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Istio. When a RequestAuthentication resource is created with a jwksUri (JSON Web Key Set Uniform Resource Identifier) that points to an internal service, istiod (the Istio control plane daemon) makes an unauthenticated HTTP GET request to that URL. This request does not properly filter out localhost or link-local IP addresses. Consequently, sensitive data can be inadvertently distributed to Envoy proxies via xDS (API for dynamic configuration) configuration, leading to information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-07 06:01:24 UTC
Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2.