CVE-2026-1580

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.13.7 ingress-nginx versions 1.14.0 through 1.14.3

Description The nginx.ingress.kubernetes.io/auth-method Ingress annotation in ingress-nginx can be exploited to inject configuration into nginx. This can lead to arbitrary code execution within the ingress-nginx controller's context. Additionally, it may result in the disclosure of Secrets accessible to the controller, which, in a default installation, includes all cluster-wide Secrets. An attacker with Ingress creation permissions can bypass validation to inject arbitrary Nginx configuration and potentially steal controller credentials.

Recommendations Versions prior to v1.13.7 should be updated to a later, secure version. Versions 1.14.0 through 1.14.3 should be updated to a later, secure version.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2026-03565

BIT-NGINX-INGRESS-CONTROLLER-2026-1580

CVE-2026-1580

GHSA-9H3P-52VH-959W

GO-2026-4423

SUSE-SU-2026:0403-1

Affected Products

Red Os

Ingress-Nginx

CVE-2026-1580

Weakness Enumeration

Related Identifiers

Affected Products

References · 103