Ingress-nginx allows the nginx.ingress.kubernetes.io/auth-method annotation to inject arbitrary configuration into the embedded nginx server. This flaw is an input-validation weakness that can lead to unrestricted execution of attacker-controlled directives, potentially executing code within the ingress-nginx controller process. The vulnerability additionally exposes controller‑accessible secrets, giving an attacker the ability to read cluster‑wide secrets. The primary impact is therefore execution of code in the controller’s context and compromise of sensitive data.

All installations of the Kubernetes ingress-nginx controller are affected, regardless of the specific version; any cluster running the controller can be targeted through the auth-method annotation on Ingress resources. No specific version range is listed, indicating that the default configuration remains vulnerable across releases that have not applied a fix. The vulnerability applies to the controller pod, which typically has cluster‑wide read access to Secrets.

The CVSS score of 8.8 classifies the issue as high severity, but the EPSS figure of less than 1% suggests a very low probability of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to create or update an Ingress resource with a malicious auth-method value, and the controller must run with permissions that allow it to read Secrets. If those conditions are satisfied, the attacker can inject configuration that executes arbitrary code and leaks secrets.