PT-2026-24119 · Kubernetes+1 · Ingress-Nginx+1
Kai Aizen
·
Published
2026-03-09
·
Updated
2026-07-02
·
CVE-2026-3288
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ingress-nginx versions prior to 1.13.7
ingress-nginx versions prior to 1.14.3
Description
A security issue exists due to insufficient input validation when processing Ingress resource annotations. An attacker can use the
nginx.ingress.kubernetes.io/rewrite-target annotation to inject arbitrary configuration directives into the nginx.conf file. This configuration injection can lead to arbitrary code execution within the context of the ingress-nginx controller and the disclosure of Secrets accessible to the controller, which, in default installations, may include all Secrets cluster-wide.Recommendations
Update ingress-nginx to version 1.13.7 or later.
Update ingress-nginx to version 1.14.3 or later.
As a temporary mitigation, restrict or avoid using the
nginx.ingress.kubernetes.io/rewrite-target annotation.Exploit
Fix
RCE
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Os
Ingress-Nginx