CVE-2026-31837: Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

Q: What is the severity of CVE-2026-31837?

CVE-2026-31837 is considered a high severity vulnerability due to the risk of exposing private key material.

Q: How do I fix CVE-2026-31837?

To fix CVE-2026-31837, upgrade Istio to versions 1.29.1, 1.28.5, or 1.27.8 or later.

Q: What products are affected by CVE-2026-31837?

CVE-2026-31837 affects Istio versions between 1.27.8 and 1.29.0.

Q: What happens if the JWKS fetch fails in CVE-2026-31837?

If the JWKS fetch fails in CVE-2026-31837, it may expose private key material, compromising security.

Q: When was CVE-2026-31837 reported?

CVE-2026-31837 was reported in the advisory related to vulnerabilities affecting previous versions of Istio.

Published Mar 10, 2026

Updated

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Affected Software

4 affected components

Istio Istio>=1.27.8<=1.29.0

Istio Istio<1.27.8

Istio Istio>=1.28.0<1.28.5

Istio Istio>=1.29.0<1.29.1

Event History

Mar 10, 2026

CVE Published

via MITRE·09:57 PM

Data Sourced

via MITRE·09:57 PM

DescriptionWeakness

Data Sourced

via NVD·10:16 PM

DescriptionSeverityWeaknessAffected Software

Jul 22, 58183

Event

via FIRST·05:11 AM

Frequently Asked Questions

What is the severity of CVE-2026-31837?

CVE-2026-31837 is considered a high severity vulnerability due to the risk of exposing private key material.

How do I fix CVE-2026-31837?

To fix CVE-2026-31837, upgrade Istio to versions 1.29.1, 1.28.5, or 1.27.8 or later.

What products are affected by CVE-2026-31837?

CVE-2026-31837 affects Istio versions between 1.27.8 and 1.29.0.

What happens if the JWKS fetch fails in CVE-2026-31837?

If the JWKS fetch fails in CVE-2026-31837, it may expose private key material, compromising security.

When was CVE-2026-31837 reported?

CVE-2026-31837 was reported in the advisory related to vulnerabilities affecting previous versions of Istio.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.