Skip to main content

Istio CVE-2026-31837

HIGH
Information Exposure (CWE-200)
2026-03-10 security-advisories@github.com
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N), but gated on a JWKS fetch-failure precondition the attacker does not reliably control (AC:H); impact is authorization/confidentiality only (C:H, I/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 04:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:56 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 22:16 nvd
HIGH 7.5

DescriptionCVE.org

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

AnalysisAI

Authentication enforcement in Istio service mesh fails open: prior to 1.29.1, 1.28.5, and 1.27.8, when the JWKS resolver is unavailable or a key fetch fails, the proxy falls back to hardcoded defaults instead of denying the request, undermining JWT validation configured via the RequestAuthentication resource and exposing protected services to unauthorized access. The flaw (CWE-200, vendor CVSS 4.0 8.7) is remotely reachable without authentication, but is conditioned on a JWKS fetch failure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify mesh using RequestAuthentication JWT auth
Delivery
JWKS resolver unavailable or fetch fails
Exploit
Proxy falls back to hardcoded defaults
Execution
Send request with invalid/crafted token
Impact
Reach protected service, disclose data

Vulnerability AssessmentAI

Exploitation Exploitation requires that Istio's JWKS resolver be unavailable or that a JWKS fetch fail for an issuer configured in a RequestAuthentication resource; under that condition the proxy uses hardcoded defaults instead of the operator's keys, weakening JWT enforcement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a service mesh whose RequestAuthentication relies on a remotely fetched JWKS; during a JWKS endpoint outage (or by inducing one), the proxy falls back to hardcoded defaults and no longer correctly enforces JWT validation, letting the attacker reach protected endpoints with crafted or otherwise-rejected tokens. No public exploit is identified at time of analysis, and the CVSS network/low-complexity vector means the request itself is trivial to send once the JWKS fetch is failing.
Remediation Vendor-released patch: upgrade Istio to 1.29.1, 1.28.5, or 1.27.8 (whichever matches your minor branch) per GHSA-v75c-crr9-733c (https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Istio deployments, identify versions currently running, and document JWKS resolver configuration and availability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-31837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy