CVE-2026-24513 - Vulnerability Details

- ingress-nginx auth-url protection bypass

Description

A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration.

If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails.

Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

Published: 2026-02-03

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when ingress-nginx is configured with a default custom-errors mapping that includes HTTP error codes 401 or 403 and a defective external custom-errors backend that does not honor the X-Code header. Under these conditions, an Ingress resource annotated with auth-url can be accessed even though authentication has failed, effectively bypassing the intended protection. The consequence is that an attacker can reach resources behind the ingress without valid credentials, potentially exposing sensitive data or services.

Affected Systems

Affected deployments are Kubernetes ingress-nginx controllers that have been configured with a broken external custom-errors backend and that use the auth-url annotation for authentication. No specific product version is identified, so any release of ingress-nginx that allows this misconfiguration is potentially impacted.

Risk and Exploitability

The CVSS score of 3.1 indicates low severity, and the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not in the CISA KEV catalog. Exploitation requires an administrator to configure a faulty custom-errors backend; thus the attack vector is limited to privileged access or supply of misconfigured components. The risk to most environments is low unless the misconfiguration exists.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kubernetes

ingress-nginx

affected

Version	Status	Constraints
`0`	affected	< 1.13.7
`0`	affected	< 1.14.3

No data.

Vendor	Product	Confidence	Versions
Kubernetes	Ingress-nginx	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify that the custom-errors backend validates and respects the X-Code header, or use the default built‑in backend.
Remove or correct any custom-errors configuration that maps 401 or 403 to a defective backend.
Apply the latest ingress-nginx release that addresses this issue or consult vendor advisories for updates.

Generated by OpenCVE AI on April 17, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4g2f-xcph-2335	ingress-nginx has Improper Check for Unusual or Exceptional Conditions

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kubernetes/kubernetes/issues/136679

History

Wed, 04 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kubernetes Kubernetes ingress-nginx
Vendors & Products		Kubernetes Kubernetes ingress-nginx

Tue, 03 Feb 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
Title		ingress-nginx auth-url protection bypass
Weaknesses		CWE-754
References		https://github.com/kubernetes/kubernetes/issues/136679
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Kubernetes Ingress-nginx

MITRE

Status: PUBLISHED

Assigner: kubernetes

Published: 2026-02-03T22:17:17.315Z

Updated: 2026-02-18T17:29:42.496Z

Reserved: 2026-01-23T06:54:35.913Z

Link: CVE-2026-24513

Vulnrichment

Updated: 2026-02-04T18:20:54.231Z

NVD

Status : Deferred

Published: 2026-02-03T23:16:07.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24513

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses

CWE-754

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object