Primary

Context

Istio RequestAuthentication Resource SSRF Vulnerability

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in Istio versions prior to 1.28.6 and 1.29.2. When a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod sends an unauthenticated HTTP GET request to that URL. This request is made without filtering out localhost or link-local IPs, potentially leading to sensitive data being sent to Envoy proxies via xDS configuration.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data, which could then be distributed to Envoy proxies, potentially impacting the behavior of microservices managed by Istio.

Remediation

Users can upgrade to Istio versions 1.28.6 or 1.29.2, both of which contain the patch for this vulnerability. Additionally, users can deploy a ValidatingAdmissionPolicy to prevent the creation of RequestAuthentication resources with suspicious jwksUri values, such as localhost or link-local IP addresses.

Added: May 7, 2026, 6:35 AM

Updated: May 7, 2026, 6:35 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.3

exploitability

3.8

remediation

8.3

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

1.3

exploitability

3.8

remediation

8.3

relevance

7.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Istio RequestAuthentication Resource SSRF Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Istio

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating