Istio
CVE-2026-31837
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N), but gated on a JWKS fetch-failure precondition the attacker does not reliably control (AC:H); impact is authorization/confidentiality only (C:H, I/A:N).
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
AnalysisAI
Authentication enforcement in Istio service mesh fails open: prior to 1.29.1, 1.28.5, and 1.27.8, when the JWKS resolver is unavailable or a key fetch fails, the proxy falls back to hardcoded defaults instead of denying the request, undermining JWT validation configured via the RequestAuthentication resource and exposing protected services to unauthorized access. The flaw (CWE-200, vendor CVSS 4.0 8.7) is remotely reachable without authentication, but is conditioned on a JWKS fetch failure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Istio's JWKS resolver be unavailable or that a JWKS fetch fail for an issuer configured in a RequestAuthentication resource; under that condition the proxy uses hardcoded defaults instead of the operator's keys, weakening JWT enforcement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targets a service mesh whose RequestAuthentication relies on a remotely fetched JWKS; during a JWKS endpoint outage (or by inducing one), the proxy falls back to hardcoded defaults and no longer correctly enforces JWT validation, letting the attacker reach protected endpoints with crafted or otherwise-rejected tokens. No public exploit is identified at time of analysis, and the CVSS network/low-complexity vector means the request itself is trivial to send once the JWKS fetch is failing. |
| Remediation | Vendor-released patch: upgrade Istio to 1.29.1, 1.28.5, or 1.27.8 (whichever matches your minor branch) per GHSA-v75c-crr9-733c (https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Istio deployments, identify versions currently running, and document JWKS resolver configuration and availability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today