CVE-2026-39350

ADVISORY - github

Summary

Impact

The serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting SA e.g. cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants.

Patches

Fixes are available in 1.29.2, 1.28.6, and 1.27.9

Workarounds

None

EPSS Score⁠: 0.00025 (0.069)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-185⁠

Incorrect Regular Expression

CWE-863⁠

Incorrect Authorization

ADVISORY - github

CWE-185⁠

Incorrect Regular Expression

ADVISORY - redhat

CWE-625⁠

Permissive Regular Expression

Impacted images

Advisories

NIST

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2026-39350⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-185⁠CWE-863⁠

CVSS SCORE

5.4medium

GitHub

CREATED

16 hours ago

UPDATED

16 hours ago

ADVISORY IDGHSA-9gcg-w975-3rjh⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.4medium

Red Hat

CREATED

2 days ago

UPDATED

11 hours ago

ADVISORY IDCVE-2026-39350⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.4medium