What is CVE-2026-39350?

CVE-2026-39350 is a medium-severity vulnerability in Istio, classified under Incorrect Regular Expression. CVSS score: 5.4/10. Published 2026-04-15.

How severe is CVE-2026-39350?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Auth bypass in Istio

CVE-2026-39350

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly inte…

EPSS: 0.000 (1.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.

Affected products

Istio — versions >= 1.25.0, < < 1.27.9, >= 1.28.0, < 1.28.6, >= 1.29.0, < 1.29.2

Weakness classification (CWE)

CWE-185 — Incorrect Regular Expression
CWE-863 — Incorrect Authorization

References

https://github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-39350?: CVE-2026-39350 is a medium-severity vulnerability in Istio, classified under Incorrect Regular Expression. CVSS score: 5.4/10. Published 2026-04-15.
How severe is CVE-2026-39350?: Medium severity. CVSS v3 base score is 5.4 out of 10.