CVE Daily
← All tags

Tag: Istio

All CVEs associated with "Istio". Page 1/1 • 34 CVEs.

About “Istio”

A curated feed of “Istio”-related CVEs appears below. We currently track 34 CVEs for this tag (all time). In the last 365 days, 6 were published. Average CVSS is 7.0 (all time; 5.7 over 365d), and 68% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-918 - Server-Side Request Forgery (SSRF), CWE-185 - Incorrect Regular Expression, CWE-863 - Incorrect Authorization.

In our taxonomy this topic maps to a LOW impact class. Container and Kubernetes fixes usually require image rebuilds and control plane or node upgrades. Prioritize exposed surfaces, restart workloads on patched bases, and tighten RBAC and NetworkPolicies. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: istio

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
1.301.30.0 Soon
1.291.29.3 Soon
1.281.28.7 Soon
1.271.27.9 Expired
1.261.26.8 Expired
1.251.25.5 Expired
1.241.24.6 Expired
1.231.23.6 Expired
1.221.22.8 Expired
1.211.21.6 Expired
1.201.20.8 Expired
1.191.19.10 Expired
1.181.18.7 Expired
1.171.17.8 Expired
1.161.16.7 Expired
1.151.15.7 Expired
1.141.14.6 Expired
1.131.13.9 Expired
1.121.12.9 Expired
1.111.11.8 Expired
1.101.10.6 Expired
1.91.9.9 Expired
1.81.8.6 Expired
1.71.7.8 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Istio”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-07
Medium

CVE-2026-41413

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal se…

CVSS: 5.0 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2026-04-15
Medium

CVE-2026-39350

Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields…

CVSS: 5.4 CWE: CWE-185 - Incorrect Regular Expression View on NVD
2026-03-10
Medium

CVE-2026-31838

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when…

CVSS: 5.3 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2026-31837

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, e…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-01-15
Medium

CVE-2026-23766

Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter's position is "this doesn't repres…

CVSS: 4.1 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
2025-12-15
High

CVE-2025-14038

EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause…

CVSS: 7.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-10-22
High

CVE-2024-8901

The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated int…

CVSS: 7.5 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-09-20
Medium

CVE-2024-45806

Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access o…

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2022-11-10
High

CVE-2022-39388

Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they…

CVSS: 7.6 CWE: CWE-863 - Incorrect Authorization View on NVD
2022-10-13
High

CVE-2022-39278

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plan…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-06-09
High

CVE-2022-31045

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting…

CVSS: 7.0 CWE: CWE-125 - Out-of-bounds Read View on NVD
2022-03-10
High

CVE-2022-24726

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacke…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2022-02-22
High

CVE-2022-23635

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attac…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2022-01-19
Medium

CVE-2022-21701

Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gat…

CVSS: 5.0 CWE: CWE-863 - Incorrect Authorization View on NVD
Medium

CVE-2022-21679

Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or…

CVSS: 6.8 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
2021-08-24
High

CVE-2021-39156

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3…

CVSS: 8.1 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-39155

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 434…

CVSS: 8.3 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD
2021-06-29
High

CVE-2021-34824

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from dif…

CVSS: 8.8 CWE: N/A View on NVD
2021-06-02
Critical

CVE-2021-31921

Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a…

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
2021-05-27
Medium

CVE-2021-31920

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass a…

CVSS: 6.5 CWE: CWE-706 - Use of Incorrectly-Resolved Name or Reference View on NVD
2021-01-29
Medium

CVE-2019-25014

A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go getResourceVersion in Istio pilot before 1.5.0-alpha.0. If a particular HTTP GET request is made to the pilot API endpoint, it is p…

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2020-10-01
Medium

CVE-2020-16844

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or n…

CVSS: 6.8 CWE: N/A View on NVD
2020-09-16
High

CVE-2020-14306

An incorrect access control flaw was found in the operator, openshift-service-mesh/istio-rhel8-operator all versions through 1.1.3. This flaw allows an attacker with a basic level of access to the cl…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
2020-06-02
High

CVE-2020-10739

Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2020-04-27
High

CVE-2020-1762

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT…

CVSS: 7.0 CWE: CWE-384 - Session Fixation View on NVD
2020-04-15
Low

CVE-2020-11767

Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured exp…

CVSS: 3.1 CWE: N/A View on NVD
2020-03-26
High

CVE-2020-1764

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT sign…

CVSS: 8.6 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2020-02-17
High

CVE-2020-1704

An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An att…

CVSS: 7.0 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2020-02-14
High

CVE-2020-8843

An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at…

CVSS: 7.4 CWE: CWE-20 - Improper Input Validation View on NVD
2020-02-12
High

CVE-2020-8595

Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access…

CVSS: 7.3 CWE: CWE-287 - Improper Authentication View on NVD
2019-11-12
High

CVE-2019-18817

Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.

CVSS: 7.5 CWE: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop') View on NVD
2019-08-13
High

CVE-2019-14993

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding…

CVSS: 7.5 CWE: CWE-185 - Incorrect Regular Expression View on NVD
2019-06-28
High

CVE-2019-12995

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2019-06-05
High

CVE-2019-12243

Istio 1.1.x through 1.1.6 has Incorrect Access Control.

CVSS: 7.5 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox