On this page
1.26.8-patch2
Solo build of Istio version 1.26.8-patch2 patch release.
This release note describes what’s different between Solo builds of Istio versions 1.26.8-patch1 and 1.26.8-patch2.
Security Notice
Envoy CVEs
- CVE-2026-26308: (CVSS score 7.5, High): Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
- CVE-2026-26311: (CVSS score 5.9, Medium): Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet destroyed, potentially causing use-after-free conditions.
- CVE-2026-26310: (CVSS score 5.9, Medium): Fixed a crash in
Utility::getAddressWithPortwhen called with a scoped IPv6 address (e.g.,fe80::1%eth0). - CVE-2026-26309: (CVSS score 5.3, Medium): Fixed an off-by-one write in
JsonEscaper::escapeString()that could corrupt the string null terminator.
Istio CVEs
The following security fixes were backported:
- CVE-2026-31838 / GHSA-974c-2wxh-g4ww: (CVSS score 6.9, Medium): Debug Endpoints Allow Cross-Namespace Proxy Data Access.
- CVE-2026-31837 / GHSA-v75c-crr9-733c: (CVSS score 8.7, High): JWKS Resolver Failure May Allow Authentication Bypass Using Known Default Keys.
Other Istio Security Fixes
The following security fixes were backported:
- Fixed XDS debug endpoints on plaintext port 15010 to require authentication, preventing unauthenticated access to proxy configuration.
- Fixed potential SSRF in
WasmPluginimage fetching by validating bearer token realm URLs. - Fixed HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.
Solo Flavor Changes
No changes in this section.
FIPS Flavor Changes
No changes in this section.