Istio has disclosed two moderate-severity CVEs affecting versions 1.28.0–1.28.5. CVE-2026-39350 (CVSS 5.4) involves regex injection via unescaped dots in AuthorizationPolicy serviceAccounts fields, allowing attackers to bypass ALLOW or DENY policies. CVE-2026-41413 (CVSS 5.0) is an SSRF vulnerability via the jwksUri field in RequestAuthentication, potentially exposing internal metadata services to the control plane. Users should upgrade to Istio 1.29.2 or 1.28.6 to remediate both issues.
Sort: