CVE-2026-41413

A flaw was found in Istio. When a RequestAuthentication resource is created with a jwksUri JSON Web Key Set Uniform Resource Identifier that points to an internal service, istiod the Istio control plane daemon makes an unauthenticated HTTP GET request to that URL. This request does not properly...

CVE-2026-41413

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhos...

CVE-2026-41413

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhos...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

PT-2026-37113

Name of the Vulnerable Software and Affected Versions Istio versions prior to 1.28.6 Istio versions prior to 1.29.2 Description When a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod performs an unauthenticated HTTP GET request to that URL without...