Kubernetes Ingress Nginx

Ingress-nginx config injection enables arbitrary code execution
CVE-2026-4342 8.8 - High - March 19, 2026

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-Nginx Rewrite-Target Annotation Enables NGX Config Injection
CVE-2026-3288 8.8 - High - March 09, 2026

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-nginx Auth-Proxy Header Injection Enables Code Exec & Secret Disclosure
CVE-2025-15566 8.8 - High - February 06, 2026

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-nginx Vulnerable Validating Admission Controller Denial-of-Service
CVE-2026-24514 6.5 - Medium - February 03, 2026

A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.

Allocation of Resources Without Limits or Throttling

Ingress-nginx Auth-URL Bypass via Misconfigured Custom-Errors
CVE-2026-24513 3.1 - Low - February 03, 2026

A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

Improper Check for Unusual or Exceptional Conditions

Ingress-nginx Path Injection Arbitrary Exec & Secret Leak
CVE-2026-24512 8.8 - High - February 03, 2026

A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

ingress-nginx Auth-Annotation Injection -> Arbitrary Code Exec
CVE-2026-1580 8.8 - High - February 03, 2026

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-nginx auth-tls-match-cn Injection Enables Code Execution
CVE-2025-1097 8.8 - High - March 25, 2025

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-nginx: Arbitrary Exec via Pod Network in K8s
CVE-2025-1974 9.8 - Critical - March 25, 2025

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Separation of Privilege

ingress-nginx mirror-annotations enable arbitrary config injection & code exec
CVE-2025-1098 8.8 - High - March 25, 2025

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Directory Traversal via Admission Controller File Inclusion in ingress-nginx
CVE-2025-24513 4.8 - Medium - March 25, 2025

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Improper Input Validation

Ingress- Nginx auth-url Annotation RCE Leading to Secrets Exposure
CVE-2025-24514 8.8 - High - March 25, 2025

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Improper Input Validation

Ingress-nginx path sanitization bypass via log_format
CVE-2022-4886 6.5 - Medium - October 25, 2023

Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.

NGINX Ingress Annotation Injection -> Arbitrary Cmd Exec
CVE-2023-5043 8.8 - High - October 25, 2023

Ingress nginx annotation injection causes arbitrary command execution.

Injection

Code Injection via NGINX Ingress Annotation
CVE-2023-5044 8.8 - High - October 25, 2023

Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.

Code Injection

Ingress-Nginx Path Sanitization Bypass via Newline Expose Cluster Secrets
CVE-2021-25748 6.5 - Medium - May 24, 2023

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

A security issue was discovered in ingress-nginx where a user
CVE-2021-25745 8.1 - High - May 06, 2022

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Improper Input Validation

A security issue was discovered in ingress-nginx where a user
CVE-2021-25746 7.1 - High - May 06, 2022

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use .metadata.annotations in an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Improper Input Validation

A security issue was discovered in ingress-nginx where a user
CVE-2021-25742 7.1 - High - October 29, 2021

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the custom snippets feature to obtain all secrets in the cluster.

The Kubernetes ingress-nginx component prior to version 0.28.0
CVE-2020-8553 5.9 - Medium - July 29, 2020

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace or secret name.

External Control of File Name or Path