CVE-2026-31838: Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.

Q: What is the severity of CVE-2026-31838?

CVE-2026-31838 has a notable severity due to its potential to bypass namespace-based authorization.

Q: How do I fix CVE-2026-31838?

To fix CVE-2026-31838, upgrade to Istio versions 1.29.1, 1.28.5, or 1.27.8 or later.

Q: What types of systems are affected by CVE-2026-31838?

CVE-2026-31838 affects Istio versions prior to 1.29.1, 1.28.5, and 1.27.8.

Q: What is the main issue caused by CVE-2026-31838?

CVE-2026-31838 allows potential unauthorized access to proxy data across namespaces due to Envoy RBAC header matching vulnerabilities.

Q: Is there a workaround for CVE-2026-31838 if I can't upgrade?

Currently, the recommended approach is to upgrade, as there are no officially documented workarounds for CVE-2026-31838.

Published Mar 10, 2026

Updated

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests with multiple header values in a way that causes Envoy to evaluate the header differently than intended, potentially bypassing authorization checks. This may allow unauthorized requests to reach protected services when policies depend on such header-based matching conditions. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Affected Software

4 affected components

Istio Istio<1.27.8, <1.28.5, <1.29.1

Istio Istio<1.27.8

Istio Istio>=1.28.0<1.28.5

Istio Istio>=1.29.0<1.29.1

Event History

Mar 10, 2026

CVE Published

via MITRE·09:58 PM

Data Sourced

via MITRE·09:58 PM

DescriptionWeakness

Data Sourced

via NVD·10:16 PM

DescriptionSeverityWeaknessAffected Software

Jul 22, 58183

Event

via FIRST·05:58 AM

Frequently Asked Questions

What is the severity of CVE-2026-31838?

CVE-2026-31838 has a notable severity due to its potential to bypass namespace-based authorization.

How do I fix CVE-2026-31838?

To fix CVE-2026-31838, upgrade to Istio versions 1.29.1, 1.28.5, or 1.27.8 or later.

What types of systems are affected by CVE-2026-31838?

CVE-2026-31838 affects Istio versions prior to 1.29.1, 1.28.5, and 1.27.8.

What is the main issue caused by CVE-2026-31838?

CVE-2026-31838 allows potential unauthorized access to proxy data across namespaces due to Envoy RBAC header matching vulnerabilities.

Is there a workaround for CVE-2026-31838 if I can't upgrade?

Currently, the recommended approach is to upgrade, as there are no officially documented workarounds for CVE-2026-31838.

CVSS Score

6.9Medium

Medium Severity

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Security Metrics

Risk Score23

Severitymedium(6.9)

EPSS0.039%

CWE

863

Timeline

PublishedMar 10, 2026

Updated

References

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.