PT-2026-24119 · Kubernetes+1 · Ingress-Nginx+1

Kai Aizen

·

Published

2026-03-09

·

Updated

2026-07-02

·

CVE-2026-3288

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.13.7 ingress-nginx versions prior to 1.14.3
Description A security issue exists due to insufficient input validation when processing Ingress resource annotations. An attacker can use the nginx.ingress.kubernetes.io/rewrite-target annotation to inject arbitrary configuration directives into the nginx.conf file. This configuration injection can lead to arbitrary code execution within the context of the ingress-nginx controller and the disclosure of Secrets accessible to the controller, which, in default installations, may include all Secrets cluster-wide.
Recommendations Update ingress-nginx to version 1.13.7 or later. Update ingress-nginx to version 1.14.3 or later. As a temporary mitigation, restrict or avoid using the nginx.ingress.kubernetes.io/rewrite-target annotation.

Exploit

Fix

RCE

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-02870
BIT-NGINX-INGRESS-CONTROLLER-2026-3288
CVE-2026-3288

Affected Products

Red Os
Ingress-Nginx