CVE-2026-3288

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.13.7 and 1.14.3

Description A security issue exists in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be exploited to inject configuration into nginx. This can result in arbitrary code execution within the context of the ingress-nginx controller and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. The issue involves insufficient filtering of annotation values before they are incorporated into the NGINX configuration template, allowing an attacker to inject arbitrary directives into the nginx.conf file, such as include or lua. Exploitation can lead to access to secrets and other Kubernetes resources accessible to the controller, and in some scenarios, complete cluster compromise. The vulnerable annotation is nginx.ingress.kubernetes.io/rewrite-target.

Recommendations Update to ingress-nginx version 1.13.7 or 1.14.3.