Sign In

CVE-2026-39350

ADVISORY - github

Summary

Impact

The serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting SA e.g. cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants.

Patches

Fixes are available in 1.29.2, 1.28.6, and 1.27.9

Workarounds

None

EPSS Score: 0.00025 (0.069)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-185

Incorrect Regular Expression

CWE-863

Incorrect Authorization

ADVISORY - github

CWE-185

Incorrect Regular Expression

ADVISORY - redhat

CWE-625

Permissive Regular Expression

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in