2458851 – (CVE-2026-39350) CVE-2026-39350 Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names

Bug 2458851 (CVE-2026-39350) - CVE-2026-39350 Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names

Summary: CVE-2026-39350 Istio: github.com/istio/istio: Istio: Authorization bypass via...

Keywords:
Status:	NEW
Alias:	CVE-2026-39350
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-15 23:01 UTC by OSIDB Bzimport
Modified:	2026-04-16 21:03 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-15 23:01:13 UTC

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Comment 2 Marco Benatto 2026-04-16 21:03:10 UTC

Public Upstream commit fixing this issue:
https://github.com/istio/istio/pull/59700/commits/c0be0eadcb50735260082b1ae1973e590474ffa8

Note You need to log in before you can comment on or make changes to this bug.