Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3377 articles · 170432 vulns · 37/41 feeds (7d)
← Back to list
5.0
CVE-2026-41413PATCHED
istio · istio

Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Description

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2.

Affected Products

VendorProductVersions
istioistiogo/istio.io/istio: < 0.0.0-20260410004459-189832a289c1

References

  • https://github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc(x_refsource_CONFIRM)
  • https://github.com/istio/istio/releases/tag/1.28.6(x_refsource_MISC)
  • https://github.com/istio/istio/releases/tag/1.29.2(x_refsource_MISC)

Related News (1 articles)

Tier C
VulDB57d ago
CVE-2026-41413 | Istio up to 1.28.5/1.29.1 HTTP GET Request server-side request forgery
→ No new info (linked only)
CVSS 3.15.0 MEDIUM
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA KEV❌ No
Actively exploited❌ No
Patch available
istio.io/istio@0.0.0-20260410004459-189832a289c1
CWECWE-918
PublishedMay 7, 2026
Last enriched57d agov2
Tags
CVE-2026-41413
Trending Score0
Source articles1
Independent1
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (2)

HIGHPRE-CVE
Istio Wasm OCI Image Fetcher SSRF Bypass Vulnerability
Trending: 27
MEDIUMCVE-2026-39350EXP
Istio AuthorizationPolicy Incorrect Regex Matching of Dots in serviceAccounts Fields Allows Policy Bypass

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 7, 2026
Discovered by ZDM
May 7, 2026
Updated: severity, patchAvailable, tags
May 7, 2026
Patch Available
May 7, 2026

Version History

v2
Last enriched 57d ago
v2Tier C57d ago

Updated severity to CRITICAL, marked as not actively exploited, added patch version 1.28.6, and included new tag CVE-2026-41413.

severitypatchAvailabletags
via VulDB
v158d ago

Initial creation