Description
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Published: 2026-03-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Secret Exposure
Action: Patch Immediately
AI Analysis

Impact

Ingress-nginx allows a malicious attacker to embed configuration directives within comment-based annotations of Ingress resources. By crafting specific Ingress annotations, the attacker can inject arbitrary nginx configuration that is subsequently processed by the ingress-nginx controller. This injection can lead to arbitrary code execution in the controller's process space and the disclosure of Kubernetes Secrets that are accessible to the controller. The weakness is a failure of input validation (CWE‑20) and an unspecified CWE identified by NVD as NVD-CWE-noinfo.

Affected Systems

The vulnerability affects implementations of the Kubernetes ingress-nginx controller. No specific affected versions are listed in the CNA data; therefore the risk applies to any deployment that has not applied a remedy. In the default configuration the controller mounts all cluster secrets, so a successful attack can expose a wide range of sensitive data. The vendor listed is Kubernetes:ingress-nginx.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is 0.00052, indicating a very low probability of exploitation, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector requires the ability to create or modify Ingress resources with malicious annotations, which typically requires Kubernetes RBAC privileges to write such resources. Once injected, the controller can execute the malicious configuration. The risk is therefore significant for clusters that grant wide permission to write Ingress objects and that run the controller with full cluster‑wide access to secrets.

Generated by OpenCVE AI on April 29, 2026 at 02:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an available update to ingress-nginx and apply the latest patch as soon as possible.
  • If an update is not yet available, remove or sanitize the vulnerable comment-based annotations from any Ingress resources that are currently in the cluster.
  • Deploy an admission controller or a validating webhook that rejects Ingress objects containing suspicious annotation patterns.
  • Restrict the ingress-nginx controller's permissions so it can only read the secrets it actually needs, instead of cluster‑wide access.
  • Monitor controller logs and Kubernetes events for anomalous nginx configuration or secret disclosures.

Generated by OpenCVE AI on April 29, 2026 at 02:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f53h-mxv9-cp98 ingress-nginx comment-based nginx configuration injection
History

Tue, 28 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
cpe:2.3:a:kubernetes:ingress-nginx:1.15.0:*:*:*:*:*:*:*

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes ingress-nginx
Vendors & Products Kubernetes
Kubernetes ingress-nginx

Thu, 19 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Title ingress-nginx comment-based nginx configuration injection
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kubernetes Ingress-nginx
cve-icon MITRE

Status: PUBLISHED

Assigner: kubernetes

Published:

Updated: 2026-03-21T04:01:49.391Z

Reserved: 2026-03-17T15:35:59.315Z

Link: CVE-2026-4342

cve-icon Vulnrichment

Updated: 2026-03-19T22:10:03.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:43.143

Modified: 2026-04-28T21:56:05.017

Link: CVE-2026-4342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses