CVE-2026-4342

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.13.9, v1.14.5, and v1.15.1

Description A security issue exists in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller and the disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. An estimated 100k–1M+ environments globally may be affected, particularly enterprise and cloud setups. Exploitation requires low-privilege Kubernetes API access (e.g., the ability to create Ingress resources). The vulnerability allows attackers to inject malicious nginx configuration via annotation combinations, potentially leading to remote code execution (RCE). The ingress-nginx controller is vulnerable to configuration injection through specially crafted Ingress annotations. Attackers can leverage this to execute arbitrary code within the controller's context and potentially access sensitive information, including cluster Secrets.

Recommendations Upgrade to ingress-nginx version 1.13.9 or later, 1.14.5 or later, or 1.15.1 or later.