CVE-2026-41413: Istio: SSRF via RequestAuthentication jwksUri

April 16, 2026 (updated May 8, 2026)

When a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration.

Note: a partial mitigation for this was released in 1.29.1, 128.5, and 1.27.8; however, it was incomplete and missed a few codepaths. 1.29.2 and 1.28.6 contain the more robust fix.

References

github.com/advisories/GHSA-fgw5-hp8f-xfhc
github.com/istio/istio
github.com/istio/istio/releases/tag/1.28.6
github.com/istio/istio/releases/tag/1.29.2
github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc
nvd.nist.gov/vuln/detail/CVE-2026-41413

Code Behaviors & Features

Detect and mitigate CVE-2026-41413 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →