CVEs reported by Envoy and Istio security fixes.

Istio is an open-source service mesh platform that helps developers connect, secure, and manage microservices-based applications. With features such as traffic management, security policies, and observability tools, Istio simplifies the complexities of microservices architecture, enabling developers to build resilient and scalable applications. Through documentation, tutorials, and community support, Istio provides developers with the tools and resources needed to implement service mesh patterns and improve the reliability and performance of their distributed systems.

Istio

Istio has disclosed security advisory ISTIO-SECURITY-2026-001 covering multiple CVEs in both Envoy and Istio. Key vulnerabilities include: a high-severity RBAC header matcher bypass in Envoy (CVSS 7.5) that allows authorization policy evasion when headers have multiple values; a critical JWKS resolver failure (CVSS 8.7) that may allow authentication bypass using publicly known default keys when JWKS fetch fails, affecting users with RequestAuthentication and jwksUri configured; unauthenticated access to XDS debug endpoints on plaintext port 15010; a potential SSRF in WasmPlugin image fetching; and cross-namespace proxy data access via debug endpoints. Additional Envoy fixes address use-after-free conditions, an IPv6 address crash, and a JSON escaper off-by-one write. Affected versions are Istio 1.27.0–1.27.7 and 1.28.0–1.28.4. All users on these versions should upgrade immediately.

Istio / ISTIO-SECURITY-2026-001