Istio

Traffic Management Improved endpoint selection for multi-network environments to use the gateway for network-specific endpoints when the local proxy network is unset. Improved sidecar proxy service namespace selection. When configuring sidecar proxies, if a hostname exists in multiple namespaces, Istio now prefers Kubernetes services and falls back to the oldest non-Kubernetes service (e.g. ServiceEntry ) by creation time. Previously, the first visible namespace alphabetically was chosen. Added opt-in synthesis of x-forwarded-client-cert at ambient waypoints. Setting the annotation ambient.istio.io/xfcc-include-client-identity: "true" on a waypoint Gateway (or its GatewayClass ) causes the waypoint to overwrite XFCC on forwarded requests with an entry populated from the ztunnel-provided source workload SPIFFE identity, so upstream apps can see the originating client. Any inbound XFCC value is replaced. Waypoints without the annotation are unaffected. ( Issue #54995 ) Added su

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.29.2 and 1.29.3. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Changes Added support for Gateway API v1.4.1. Added an istioctl analyze warning (IST0175) when RequestAuthentication resources exist but BLOCKED_CIDRS_IN_JWKS_URIS is not configured on istiod. ( Issue #59523 ) Added feature flags PILOT_HBONE_INITIAL_STREAM_WINDOW_SIZE and PILOT_HBONE_INITIAL_CONNECTION_WINDOW_SIZE . They can configure the initial stream and connection window sizes for HBONE connections to upstream clusters (generated for waypoints and east-west gateways). These may be used to reduce unwanted buffering. ( Issue #59961 ) Fixed an issue where Istiod could issue leaf certificates with a NotAfter time beyond the signing certificate&

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.28.6 and 1.28.7. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Changes Added support for Gateway API v1.4.1. Added an istioctl analyze warning (IST0175) when RequestAuthentication resources exist but BLOCKED_CIDRS_IN_JWKS_URIS is not configured on istiod. ( Issue #59523 ) Added feature flags PILOT_HBONE_INITIAL_STREAM_WINDOW_SIZE and PILOT_HBONE_INITIAL_CONNECTION_WINDOW_SIZE . They can configure the initial stream and connection window sizes for HBONE connections to upstream clusters (generated for waypoints and east-west gateways). These may be used to reduce unwanted buffering. ( Issue #59961 ) Fixed an issue where waypoints failed to add the TLS inspector listener filter when only TLS ports existed, ca

Disclosure Details CVE(s) CVE-2026-39350 CVE-2026-XXXXX CVSS Impact Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Releases 1.29.0 to 1.29.1 1.28.0 to 1.28.5 CVE Istio CVEs CVE-2026-39350 / GHSA-9gcg-w975-3rjh : (CVSS score 5.4, Moderate): AuthorizationPolicy serviceAccounts regex injection via unescaped dots. Reported by Wernerina . CVE-2026-41413 / GHSA-fgw5-hp8f-xfhc : (CVSS score 5.0, Moderate): SSRF via RequestAuthentication jwksUri . Reported by KoreaSecurity , 1seal , AKiileX . Am I Impacted? All users running affected Istio versions are potentially impacted: The Authorization Bypass impact is relevant if you use AuthorizationPolicy resources that specify serviceAccounts containing dots. An attacker could bypass an ALLOW policy or slip through a DENY policy by using a service account with a name that exploits the regex wildcard interpretation. The SSRF impact is relevant if you allow users or automated systems to create RequestAuthentication resources. An attack

IPO Registration (amended) filed 2026-04-17

Annual Report filed 2026-04-15

This release contains security fixes. This release note describes what’s different between Istio 1.29.1 and 1.29.2. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Changes Added Helm v4 (server-side apply) support. Fixed a webhook failurePolicy field ownership conflict that caused helm upgrade with SSA to fail. ( Issue #58302 ) ( Issue #59367 ) Fixed a field manager conflict on ValidatingWebhookConfiguration during helm upgrade with server-side apply in tools that respect .Release.IsUpgrade (Helm 4, Flux). The failurePolicy field is now omitted from the webhook template on upgrade, preserving the value set at runtime by the webhook controller. For tools that use helm template with SSA, set base.validationFailurePolicy: Fail to avoid the conflict. Fixed serviceAccount matcher regex in AuthorizationPolicy to properly

This release contains security fixes. This release note describes what’s different between Istio 1.28.5 and 1.28.6. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Changes Added Helm v4 (server-side apply) support. Fixed a webhook failurePolicy field ownership conflict that caused helm upgrade with SSA to fail. ( Issue #58302 ) ( Issue #59367 ) Added the ability to specify authorized namespaces for debug endpoints when ENABLE_DEBUG_ENDPOINT_AUTH=true . Enable by setting DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES to a comma-separated list of authorized namespaces. The system namespace (typically istio-system ) is always authorized. Added support to block CIDRs in JWKS URIs when fetching public keys for JWT validation. If any resolved IP from a JWKS URI matches a blocked CIDR, Istio will skip fetching the public key and u

This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.8 and 1.27.9. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Changes Fixed istiod errors on startup when a CRD version greater than the maximum supported version is installed on a cluster. TLS route versions v1.4 and below are supported; v1.5 and above will be ignored. ( Issue #59443 ) Fixed serviceAccount matcher regex in AuthorizationPolicy to properly quote the service account name, allowing for correct matching of service accounts with special characters in their names. ( Issue #59700 ) Fixed an issue where all Gateways were restarted after istiod was restarted. ( Issue #59709 ) Fixed TLSRoute hostnames not being constrained to the intersection with the Gateway listener hostname. Previously, a

As previously announced , support for Istio 1.27 has now officially ended. At this point we will no longer back-port fixes for security issues and critical bugs to 1.27. We highly recommend that you upgrade to the latest version of Istio (1.30) if you haven’t already.

Material Event filed 2026-03-24