Bug 2467646 (CVE-2026-41413)
| Summary: | CVE-2026-41413 Istio: Istio: Information disclosure through unauthenticated internal service requests | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Istio. When a RequestAuthentication resource is created with a jwksUri (JSON Web Key Set Uniform Resource Identifier) that points to an internal service, istiod (the Istio control plane daemon) makes an unauthenticated HTTP GET request to that URL. This request does not properly filter out localhost or link-local IP addresses. Consequently, sensitive data can be inadvertently distributed to Envoy proxies via xDS (API for dynamic configuration) configuration, leading to information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-05-07 06:01:24 UTC
|