Istio: Exposed default security settings if JWKS resolver fails

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.7

Istio: Exposed default security settings if JWKS resolver fails

CVE-2026-31837

Summary

If the service that helps Istio verify identities is down or not working, default security settings are used, which could make your system more vulnerable. This affects older versions of Istio, and you should update to the latest version to fix the issue.

Original title

Original description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

nvd CVSS4.0 8.7

Vulnerability type

CWE-200 Information Exposure

https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c

Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026