Description
A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Published: 2026-02-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Ingress-nginx contains a flaw that allows an attacker to inject configuration directives into nginx by manipulating the path field of an Ingress resource. This vulnerability can lead to arbitrary code execution within the ingress-nginx controller and the disclosure of Secrets the controller can read, which in a default installation includes all cluster Secrets.

Affected Systems

The vulnerability affects installations of the ingress-nginx controller for Kubernetes. Specific affected versions are not listed, so any version of the controller that has not yet applied the fix is potentially impacted. The default configuration permits the controller to access every Secret cluster‑wide, increasing the risk.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. Its EPSS score is less than 1%, indicating a very low probability of public exploitation at present. The vulnerability is not in the CISA KEV catalog. Exploitation would require the ability to create or modify an Ingress object with a crafted path field; the attack vector is likely internal to the cluster and dependent on role‑based access controls that allow users to create Ingress resources.

Generated by OpenCVE AI on April 16, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ingress-nginx to the latest patched release that removes the path injection vulnerability
  • If an upgrade cannot be performed immediately, restrict creation of Ingress objects to trusted users and enforce strict role‑based access control
  • Reconfigure the controller’s RBAC to limit its read access to Secrets only to the namespaces it actually serves

Generated by OpenCVE AI on April 16, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jx8c-56mg-h6vp ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx
History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes ingress-nginx
Vendors & Products Kubernetes
Kubernetes ingress-nginx

Tue, 03 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Title ingress-nginx auth-method nginx configuration injection
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kubernetes Ingress-nginx
cve-icon MITRE

Status: PUBLISHED

Assigner: kubernetes

Published:

Updated: 2026-03-09T21:01:16.788Z

Reserved: 2026-01-23T06:54:35.912Z

Link: CVE-2026-24512

cve-icon Vulnrichment

Updated: 2026-02-04T19:54:37.655Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T23:16:06.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses