CVE-2026-39350

Name of the Vulnerable Software and Affected Versions Istio versions 1.25.0 through 1.27.8 Istio versions 1.28.0 through 1.28.5 Istio versions 1.29.0 through 1.29.1

Description In the AuthorizationPolicy, the serviceAccounts and notServiceAccounts fields incorrectly interpret dots (.) as regular expression matchers. Since dots are valid characters in service account names, an ALLOW rule targeting a specific account, such as 'cert-manager.io', will also match unintended variants like 'cert-manager-io' or 'cert-managerXio'. Conversely, a DENY rule targeting the same name will fail to block these variants.

Recommendations Update to version 1.27.9 for versions 1.25.0 through 1.27.8. Update to version 1.28.6 for versions 1.28.0 through 1.28.5. Update to version 1.29.2 for versions 1.29.0 through 1.29.1.