Istio versions 1.2.10 (End of Life) and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
Conclusion & alert: CVE-2020-8595 is rated Moderate Risk (59.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.61%). Core evidence: EPSS rose +1.55% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.06% | 2.61% | +1.55% |
| 2 | 2025-12-09 | 0.84% | 1.06% | +0.22% |
| 3 | 2025-11-21 | — | 0.84% | — |
Full EPSS history (19 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.3 | 3.1 | HIGH |
|
3.9 | 3.4 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2020-8595 |
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2020:0477 | Third Party Advisory |
| https://access.redhat.com/security/cve/cve-2020-8595 | Mitigation Third Party Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8595 | Issue Tracking Mitigation Third Party Advisory |
| https://github.com/istio/istio/commits/master | Patch |
| https://istio.io/news/security/ | Vendor Advisory |
| https://istio.io/news/security/istio-security-2020-001/ | Patch Vendor Advisory |