CVE-2026-31837 HIGH

CVE-2026-31837: Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

Vendor Istio

Product istio

Weakness CWE-200 · Info exposure

Published March 10, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-31837 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2026-31837

CWE CWE-200

CVSS 8.7 / HIGH

Affected versions

Vendor Istio

Product istio

Affected >= 1.29.0-alpha.0, < 1.29.1

Vendor Istio

Product istio

Affected >= 1.28.0-alpha.0, < 1.28.5

Vendor Istio

Product istio

Affected < 1.27.8

CVE-2026-31837: Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

01Description

02Disclosure timeline

03References

04Related CVE