SB2026020407 - Multiple vulnerabilities in Ingress-NGINX Controller for Kubernetes
Published: February 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Code Injection (CVE-ID: CVE-2026-1580)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to improper input validation leading to configuration injection where the nginx.ingress.kubernetes.io/auth-method Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
2) Code Injection (CVE-ID: CVE-2026-24512)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to improper input validation where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.
3) Improper authorization (CVE-ID: CVE-2026-24513)
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper authorization checks where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.
4) Input validation error (CVE-ID: CVE-2026-24514)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input the validating admission controller feature. A remote user can send large requests to the validating admission controller and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://discuss.kubernetes.io/t/security-advisory-multiple-issues-in-ingress-nginx/34115
- https://github.com/kubernetes/kubernetes/issues/136677
- https://github.com/kubernetes/kubernetes/issues/136678
- https://github.com/kubernetes/kubernetes/issues/136679
- https://github.com/kubernetes/kubernetes/issues/136680