PT-2026-5761 · Kubernetes+1 · Ingress-Nginx+1

Maxime Escourbiac

Published

2026-02-02

Updated

2026-04-19

CVE-2026-24512

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.13.7 ingress-nginx versions 1.14.0 through 1.14.2

Description The rules.http.paths.path Ingress field in ingress-nginx can be exploited to inject configuration into nginx. This can result in arbitrary code execution within the ingress-nginx controller's context and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. The vulnerability lies in the improper handling of the rules.http.paths.path parameter, allowing malicious configuration to be injected.

Recommendations Upgrade ingress-nginx to version 1.13.7 or later. Upgrade ingress-nginx to a version greater than 1.14.2.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2026-01287

BIT-NGINX-INGRESS-CONTROLLER-2026-24512

CVE-2026-24512

GHSA-JX8C-56MG-H6VP

GO-2026-4426

SUSE-SU-2026:0403-1

Affected Products

Red Os

Ingress-Nginx

PT-2026-5761 · Kubernetes+1 · Ingress-Nginx+1

CVE-2026-24512

Weakness Enumeration

Related Identifiers

Affected Products

References · 109