CVE-2026-41413

Name of the Vulnerable Software and Affected Versions Istio versions prior to 1.28.6 Istio versions prior to 1.29.2

Description When a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod performs an unauthenticated HTTP GET request to that URL without filtering localhost or link-local IP addresses. This behavior can lead to the distribution of sensitive data to Envoy proxies through the xDS configuration.

Recommendations Update to version 1.28.6. Update to version 1.29.2. Deploy a ValidatingAdmissionPolicy to prevent the creation of RequestAuthentication resources containing suspicious jwksUri field values, such as localhost, 127.0.0.0/8, 169.254.0.0/16, and their IPv6 equivalents.