CVE-2026-39350: Istio: AuthorizationPolicy serviceAccounts regex injection via unescaped dots

April 16, 2026

The serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting SA e.g. cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants.

References

github.com/advisories/GHSA-9gcg-w975-3rjh
github.com/istio/istio
github.com/istio/istio/commit/692e460c342d8f308a35b6ecbdace47807da8ade
github.com/istio/istio/security/advisories/GHSA-9gcg-w975-3rjh
nvd.nist.gov/vuln/detail/CVE-2026-39350

Code Behaviors & Features

Detect and mitigate CVE-2026-39350 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →