{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-15T22:42:24Z",
  "bugzilla" : {
    "description" : "Istio: github.com/istio/istio: Istio: Authorization bypass via incorrect interpretation of dots in service account names",
    "id" : "2458851",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458851"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-625",
  "details" : [ "Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.", "A flaw was found in Istio, an open platform designed to connect, manage, and secure microservices. The serviceAccounts and notServiceAccounts fields within Istio's AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. This vulnerability allows an attacker to craft service account names that can bypass intended authorization rules. As a result, an ALLOW policy may grant access to unauthorized service accounts, or a DENY policy may fail to block malicious variants, potentially leading to unauthorized access or information disclosure." ],
  "statement" : "This vulnerability in Istio's AuthorizationPolicy allows for authorization bypass due to incorrect interpretation of dots in service account names. This can lead to unintended access grants or failures in blocking unauthorized service accounts. In Istio service account names may have the '.' character however the AuthorizationPolicy always interpret the '.' as in a regular expression, meaning it'll match any character between the two letters before and after the dot character.",
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-service-mesh/istio-proxyv2-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39350\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39350\nhttps://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh" ],
  "name" : "CVE-2026-39350",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}