Istio has disclosed security advisory ISTIO-SECURITY-2026-001 covering multiple CVEs in both Envoy and Istio. Key vulnerabilities include: a high-severity RBAC header matcher bypass in Envoy (CVSS 7.5) that allows authorization policy evasion when headers have multiple values; a critical JWKS resolver failure (CVSS 8.7) that may allow authentication bypass using publicly known default keys when JWKS fetch fails, affecting users with RequestAuthentication and jwksUri configured; unauthenticated access to XDS debug endpoints on plaintext port 15010; a potential SSRF in WasmPlugin image fetching; and cross-namespace proxy data access via debug endpoints. Additional Envoy fixes address use-after-free conditions, an IPv6 address crash, and a JSON escaper off-by-one write. Affected versions are Istio 1.27.0–1.27.7 and 1.28.0–1.28.4. All users on these versions should upgrade immediately.
Sort: