Announcing Istio 1.27.8

Istio 1.27.8 patch release.

Mar 10, 2026

This release contains security fixes. This release note describes what’s different between Istio 1.27.7 and 1.27.8.

Things to know and prepare before upgrading.

Download and install this release.

Visit the documentation for this release.

Inspect the full set of source code changes.

Security update

For more information, see ISTIO-SECURITY-2026-001.

CVE-2026-26308 (CVSS score 7.5, High): Fix multivalue header bypass in RBAC.
CVE-2026-26311 (CVSS score 5.9, Medium): HTTP decode methods blocked after downstream reset.
CVE-2026-26310 (CVSS score 5.9, Medium): Fix crash in getAddressWithPort() with scoped IPv6 address.
CVE-2026-26309 (CVSS score 5.3, Medium): JSON off-by-one write fix.

CVE-2026-31838 / GHSA-974c-2wxh-g4ww: (CVSS score 6.9, Medium): Debug Endpoints Allow Cross-Namespace Proxy Data Access. Reported by 1seal.
CVE-2026-31837 / GHSA-v75c-crr9-733c: (CVSS score 8.7, High): JWKS Resolver Failure May Allow Authentication Bypass Using Known Default Keys. Reported by 1seal.

Fixed XDS debug endpoints on plaintext port 15010 to require authentication, preventing unauthenticated access to proxy configuration. Reported by 1seal.
Fixed potential SSRF in WasmPlugin image fetching by validating bearer token realm URLs. Reported by Sergey Kanibor (Luntry).
Fixed HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access. Reported by Sergey Kanibor (Luntry).
Added the ability to specify authorized namespaces for debug endpoints when ENABLE_DEBUG_ENDPOINT_AUTH=true. Enable by setting DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES to a comma separated list of authorized namespaces. The system namespace (typically istio-system) is always authorized.