CVE-2026-31837

high

Description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

References

https://docs.cloud.google.com/support/bulletins/index#gcp-2026-013

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31837.json

https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c

https://bugzilla.redhat.com/show_bug.cgi?id=2446344

https://access.redhat.com/security/cve/CVE-2026-31837

https://access.redhat.com/errata/RHSA-2026:5952

https://access.redhat.com/errata/RHSA-2026:5950

https://access.redhat.com/errata/RHSA-2026:5948

https://access.redhat.com/errata/RHSA-2026:10184

Details

Source: Mitre, NVD

Published: 2026-03-10

Updated: 2026-06-30

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.0005