Cyber Resilience

CVE-2026-31837

HighUpdated

Published: 10 March 2026

Published
10 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31837 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Istio Istio. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31837 affects Istio, an open platform for connecting, managing, and securing microservices. In versions prior to 1.29.1, 1.28.5, and 1.27.8, the vulnerability arises when the JWKS (JSON Web Key Set) resolver becomes unavailable or the fetch fails. This causes Istio to expose hardcoded defaults, bypassing the intended behavior of the RequestAuthentication resource, which is rated CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Any unauthenticated attacker with network access can exploit this vulnerability by disrupting the JWKS resolver, such as through denial-of-service techniques or network interference that prevents successful fetches. Successful exploitation allows the attacker to access the hardcoded defaults, potentially exposing sensitive configuration or authentication data that should have been protected by RequestAuthentication policies, without requiring privileges, user interaction, or changing the scope of impact.

The Istio security advisory at https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c details the fix, recommending immediate upgrades to Istio 1.29.1, 1.28.5, or 1.27.8, where the vulnerability is resolved by ensuring proper fallback handling without exposing defaults. No workarounds are specified beyond patching.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of…

more

the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an unauthenticated, network-accessible flaw in Istio's JWKS handling that directly exposes sensitive authentication/configuration data when the resolver is disrupted. This matches the definition of exploiting a public-facing application (T1190) to achieve information disclosure without credentials or user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34297Shared CWE-200
CVE-2025-22918Shared CWE-200
CVE-2026-2262Shared CWE-200
CVE-2026-22237Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2026-32098Shared CWE-200
CVE-2026-24422Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-23743Shared CWE-200

Affected Assets

istio
istio
≤ 1.27.8 · 1.28.0 — 1.28.5 · 1.29.0 — 1.29.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of the Istio JWKS resolver flaw that exposes hardcoded defaults on fetch failure.

prevent

Ensures Istio fails to a secure state rather than exposing sensitive hardcoded defaults when the JWKS resolver becomes unavailable.

prevent

Protects the JWKS resolver from denial-of-service or network interference that triggers the fallback to vulnerable hardcoded defaults.

References