CVE-2026-31837 | THREATINT

Description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-10 | Updated 2026-03-11 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

>= 1.29.0-alpha.0, < 1.29.1

affected

>= 1.28.0-alpha.0, < 1.28.5

affected

< 1.27.8

affected

References

github.com/.../istio/security/advisories/GHSA-v75c-crr9-733c

cve.org (CVE-2026-31837)

nvd.nist.gov (CVE-2026-31837)

Download JSON