NGINX Ingress Controller CRD Injection Allows Arbitrary Config Write
CVE-2026-55723 Published on July 15, 2026
NGINX Ingress Controller vulnerability
When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives.
Impact:
An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Vulnerability Analysis
CVE-2026-55723 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Neutralization of Equivalent Special Elements
The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements. The software may have a fixed list of special characters it believes is complete. However, there may be alternate encodings, or representations that also have the same meaning. For example, the software may filter out a leading slash (/) to prevent absolute path names, but does not account for a tilde (~) followed by a user name, which on some *nix systems could be expanded to an absolute pathname. Alternately, the software might filter a dangerous "-e" command-line switch when calling an external program, but it might not account for "--exec" or other switches that have the same semantics.
Products Associated with CVE-2026-55723
Want to know whenever a new CVE is published for F5 Networks Nginx Ingress Controller? stack.watch will email you.
Affected Versions
F5 NGINX Ingress Controller:- Version 5.0.0 and below 5.5.2 is affected.
- Version 2026-lts-r1 and below 2026-lts-r3 is affected.