CVE-2026-31837
Published: 10 March 2026
Summary
CVE-2026-31837 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Istio Istio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.
Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information.
Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated, network-accessible flaw in Istio's JWKS handling that directly exposes sensitive authentication/configuration data when the resolver is disrupted. This matches the definition of exploiting a public-facing application (T1190) to achieve information disclosure without credentials or user interaction.
NVD Description
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of…
more
the RequestAuthentication resource. This vulnerability is fixed in 1.29.1, 1.28.5, and 1.27.8.
Deeper analysisAI
CVE-2026-31837 affects Istio, an open platform for connecting, managing, and securing microservices. In versions prior to 1.29.1, 1.28.5, and 1.27.8, the vulnerability arises when the JWKS (JSON Web Key Set) resolver becomes unavailable or the fetch fails. This causes Istio to expose hardcoded defaults, bypassing the intended behavior of the RequestAuthentication resource, which is rated CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.
Any unauthenticated attacker with network access can exploit this vulnerability by disrupting the JWKS resolver, such as through denial-of-service techniques or network interference that prevents successful fetches. Successful exploitation allows the attacker to access the hardcoded defaults, potentially exposing sensitive configuration or authentication data that should have been protected by RequestAuthentication policies, without requiring privileges, user interaction, or changing the scope of impact.
The Istio security advisory at https://github.com/istio/istio/security/advisories/GHSA-v75c-crr9-733c details the fix, recommending immediate upgrades to Istio 1.29.1, 1.28.5, or 1.27.8, where the vulnerability is resolved by ensuring proper fallback handling without exposing defaults. No workarounds are specified beyond patching.
Details
- CWE(s)