Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3377 articles · 170432 vulns · 37/41 feeds (7d)
← Back to list
5.4
CVE-2026-39350EXPLOITEDPATCHED
istio · istio

Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass

Description

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.

Affected Products

VendorProductVersions
istioistiogo/istio.io/istio: >= 0.0.0-20241024090207-0bf27d49ba4b, < 0.0.0-20260403004500-692e460c342d

References

  • https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh(x_refsource_CONFIRM)

Related News (1 articles)

Tier C
VulDB79d ago
CVE-2026-39350 | Istio up to 1.27.8/1.28.5/1.29.1 notServiceAccounts incorrect regex (GHSA-9gcg-w975-3rjh)
→ No new info (linked only)
CVSS 3.15.4 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
istio.io/istio@0.0.0-20260403004500-692e460c342d
CWECWE-185
PublishedApr 15, 2026
Last enriched78d agov2
Trending Score0
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (2)

HIGHPRE-CVE
Istio Wasm OCI Image Fetcher SSRF Bypass Vulnerability
Trending: 27
MEDIUMCVE-2026-41413
Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Apr 15, 2026
Discovered by ZDM
Apr 15, 2026
Updated: severity, activelyExploited
Apr 16, 2026
Actively Exploited
Apr 16, 2026
Patch Available
Apr 16, 2026

Version History

v2
Last enriched 78d ago
v2Tier C78d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited
via VulDB
v179d ago

Initial creation