Skip to main content

Istio CVE-2026-41413

| EUVDEUVD-2026-28315 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-07 GitHub_M
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
May 07, 2026 - 07:01 EUVD
Source Code Evidence Fetched
May 07, 2026 - 05:45 vuln.today
Analysis Generated
May 07, 2026 - 05:45 vuln.today
CVE Published
May 07, 2026 - 04:18 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2.

AnalysisAI

Istio versions prior to 1.28.6 and 1.29.2 allow authenticated attackers to perform Server-Side Request Forgery (SSRF) attacks via RequestAuthentication resources with malicious jwksUri values pointing to internal services, enabling istiod to fetch sensitive data from localhost or link-local IPs and distribute it to Envoy proxies through xDS configuration. The vulnerability requires an authenticated user to create or modify a RequestAuthentication resource, limiting the attack surface to cluster administrators or users with API access. A partial mitigation was released in earlier versions (1.29.1, 1.28.5, 1.27.8) but was incomplete; the complete fix is in versions 1.28.6 and 1.29.2.

Technical ContextAI

Istio is a service mesh control plane that uses RequestAuthentication resources to configure JWT validation policies. When a RequestAuthentication resource specifies a jwksUri (JSON Web Key Set URI), istiod's control plane fetches the public keys from that URI via unauthenticated HTTP GET to validate JWT tokens at runtime. The vulnerability stems from CWE-918 (Server-Side Request Forgery), where istiod fails to validate and filter the jwksUri destination, allowing it to access restricted internal addresses including localhost (127.0.0.0/8) and IPv6 link-local addresses (fe80::/10). Once fetched, this potentially sensitive data gets embedded in xDS (Envoy Discovery Service) configuration messages that are distributed to all Envoy sidecar proxies in the cluster, effectively leaking internal service responses to multiple nodes. The affected component is the istiod control plane daemon responsible for certificate and configuration management across the Istio mesh.

RemediationAI

Upgrade Istio to version 1.28.6, 1.29.2, or later immediately. For organizations unable to upgrade immediately, a ValidatingAdmissionPolicy can be deployed to Kubernetes to prevent the creation of RequestAuthentication resources with jwksUri values pointing to restricted address ranges including localhost (127.0.0.0/8), IPv4 link-local (169.254.0.0/16), IPv6 localhost (::1/128), and IPv6 link-local (fe80::/10). This workaround requires Kubernetes 1.26+ and the ValidatingAdmissionPolicy feature gate enabled, and it adds latency to RequestAuthentication resource creation but has no impact on data plane performance. The partial mitigation available in versions 1.27.8, 1.28.5, and 1.29.1 should NOT be considered sufficient and should be upgraded past as soon as possible; these versions contain incomplete fixes that may still allow exploitation through undocumented code paths. Apply the remediation in this order: first deploy the ValidatingAdmissionPolicy as an immediate brake on new vulnerable resources, then schedule and execute the Istio control plane upgrade to a patched version during a maintenance window.

Vendor StatusVendor

Share

CVE-2026-41413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy