HIGHCVE-2026-31837Published 2026-03-10Modified 2026-03-11CNA GitHub_M

CVE-2026-31837: Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

istio / istio
>= 1.29.0-alpha.0, < 1.29.1 · >= 1.28.0-alpha.0, < 1.28.5 · < 1.27.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c

Metrics