Product Overview
The ingress-nginx controller is a Kubernetes component responsible for translating Ingress resources into active NGINX configuration. It runs with elevated privileges inside the cluster and typically has access to Secrets, TLS material, and service endpoints. Any weakness in how user-controlled Ingress fields are rendered into NGINX configuration directly impacts cluster security.
Vulnerability Overview
Two high-impact vulnerabilities were identified in ingress-nginx that allow configuration injection through improperly validated Ingress fields. These issues affect all deployments where untrusted or semi-trusted users, automation, or CI/CD pipelines are permitted to create or modify Ingress objects.
Both vulnerabilities result from user-supplied values being copied directly into generated NGINX configuration without sufficient sanitization. As a consequence, arbitrary NGINX directives may be injected and executed by the controller during configuration reload.
Vulnerability Identification
| CVE Name | CVE ID | CVSS Score | Severity | Affected Component |
|---|---|---|---|---|
| Ingress Path Configuration Injection | CVE-2026-24512 | 8.8 | High | spec.rules.http.paths.path |
| Annotation-Based Configuration Injection | CVE-2026-1580 | 8.8 | High | nginx.ingress.kubernetes.io/auth-method |
Affected Versions
All ingress-nginx controller versions prior to v1.13.7 and v1.14.3 are affected.
Technical Description
CVE-2026-24512
The path field under spec.rules.http.paths is intended to define URL routing behavior. Due to missing validation, specially crafted path values containing control characters or directive-like content are rendered directly into the generated NGINX configuration.
This allows attackers to inject additional NGINX directives, potentially altering request handling logic, loading unexpected configuration fragments, or triggering execution paths that expose Secrets or enable command execution within the controller container.
CVE-2026-1580
The nginx.ingress.kubernetes.io/auth-method annotation is processed as part of authentication configuration. Improper sanitization allows injection of arbitrary NGINX configuration tokens through this annotation. Once injected, the malicious configuration is applied during NGINX reload, executing with the controller’s privileges.
Exploitation Details
Exploitation Prerequisites
- Ability to create or update Kubernetes
Ingressresources - No requirement for direct network access to the controller pod
- No user interaction required
Exploitation Method
- A malicious Ingress resource is submitted with crafted
pathvalues or annotation content - The ingress-nginx controller generates NGINX configuration using the supplied values
- The injected directives are executed when NGINX reloads its configuration
Potential Impact
- Remote Code Execution within the ingress controller container
- Disclosure of Kubernetes Secrets accessible to the controller
- Manipulation of request routing and traffic interception
- Service disruption or denial of service
- Lateral movement within the cluster
Proof of Concept Availability
No fully weaponized public exploit has been widely released at the time of disclosure. However, proof-of-concept payloads demonstrating configuration injection through Ingress fields are trivial to construct and are commonly shared in security research contexts for educational purposes only.
Due to the nature of the flaw, exploitation does not require complex payloads and can be achieved using simple text injection techniques.
MITRE Mapping
- CWE-20 – Improper Input Validation
- CWE-94 – Code Injection (via configuration interpretation)
Detection Strategy
Log Sources
- Kubernetes API Server Audit Logs
- ingress-nginx Controller Logs
- NGINX Error Logs within Controller Pods
- Kubernetes RBAC and Secret Access Logs
- Network Telemetry from Controller Pods
Indicators of Compromise
Behavioral Indicators
- Unexpected creation or modification of Ingress resources
- NGINX configuration reload failures or warnings
- Sudden access to Secrets by the ingress controller
- Outbound network connections from the controller pod
- Abnormal routing behavior or header manipulation
Suspicious Patterns
- Ingress paths containing control characters or directive keywords
- Authentication annotations containing multi-line values
- Repeated NGINX reloads triggered by Ingress changes
Detection Queries
Kubernetes Audit Log Query
objectRef.resource = "ingresses"
AND verb IN ("create","update")
AND (
requestObject.spec.rules[*].http.paths[*].path MATCHES "(;|\\n|\\r|include|proxy_pass|set_by_lua)"
OR
requestObject.metadata.annotations["nginx.ingress.kubernetes.io/auth-method"] MATCHES "(;|\\n|include|proxy_pass|lua)"
)
kubectl Hunting Command
kubectl get ingresses --all-namespaces -o json | \
jq '.items[] |
select(
(.spec.rules[]?.http.paths[]?.path | test("(?i)(;|include|proxy_pass|lua)")) or
(.metadata.annotations["nginx.ingress.kubernetes.io/auth-method"] | test("(?i)(;|include|lua)"))
) |
{namespace: .metadata.namespace, name: .metadata.name}'
ingress-nginx Log Pattern
unknown directive
failed to load configuration
invalid number of arguments
Mitigation and Remediation
Immediate Actions
- Restrict RBAC permissions for creating and modifying Ingress resources
- Disable self-service Ingress creation in multi-tenant environments
- Monitor audit logs for suspicious Ingress activity
Long-Term Remediation
- Upgrade ingress-nginx controller to a patched version
- Implement admission controls to validate Ingress fields
- Enforce least-privilege access for the controller service account
- Rotate Secrets accessible by the controller if compromise is suspected
Official Patch / Upgrade
Upgrade ingress-nginx controller to one of the following versions or later:
- v1.13.7
- v1.14.3
Official upgrade and release information:
https://github.com/kubernetes/ingress-nginx/releases
Final Takeaway
If exploitation is suspected, the controller pod should be treated as compromised. Secrets accessed by the controller must be rotated, affected workloads redeployed, and historical audit logs reviewed to determine the scope of impact.
