Main Vulnerability Database Vulnerabilities #VU122287

#VU122287 Code Injection in Ingress-NGINX Controller for Kubernetes - CVE-2026-24512

Published: February 4, 2026

Vulnerability identifier: #VU122287

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-24512

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ingress-NGINX Controller for Kubernetes

Software vendor:
Kubernetes

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to improper input validation where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller.

Remediation

Install updates from vendor's website.

External links

https://discuss.kubernetes.io/t/security-advisory-multiple-issues-in-ingress-nginx/34115
https://github.com/kubernetes/kubernetes/issues/136678

#VU122287 Code Injection in Ingress-NGINX Controller for Kubernetes - CVE-2026-24512

Description

Remediation

External links

Please verify you're human