Published
- 3 min read
Critical Alert: High-Severity Vulnerabilities in Kubernetes Ingress-NGINX
The Kubernetes Security Response Committee has issued a critical advisory regarding multiple high-severity vulnerabilities in the widely used ingress-nginx controller. These flaws, if exploited, could allow attackers to inject malicious configuration directives, leading to Remote Code Execution (RCE) and potential cluster compromise.
If you are running ingress-nginx versions prior to v1.13.7 or v1.14.3, your clusters are at risk.
What to remember
- Critical Flaws: Multiple CVEs, including CVE-2026-24512, allow attackers to bypass security controls.
- RCE Risk: The vulnerability permits arbitrary code execution within the controller’s context via configuration injection.
- Affected Versions: All versions prior to v1.13.7 and v1.14.3 are vulnerable.
- Immediate Action: Upgrading to the patched versions is the only definitive fix; workarounds are temporary.
The Vulnerabilities
The advisory covers four distinct CVEs, with CVE-2026-24512 being the most critical (CVSS 8.8).
CVE-2026-24512: Configuration Injection
- The Flaw: Improper sanitization in the
rules.http.paths.pathfield of the Ingress resource. - The Exploit: An attacker with permission to create or edit Ingress objects can inject NGINX configuration directives via the path field.
- The Impact: This allows the execution of arbitrary code within the ingress-nginx controller’s context. Since the controller often has broad access to cluster secrets (by default), a successful exploit can lead to full cluster takeover and data exfiltration.
Other Associated CVEs:
- CVE-2026-1580
- CVE-2026-24513
- CVE-2026-24514
Am I Vulnerable?
You are vulnerable if you have ingress-nginx installed and are running an affected version. Check your current version by listing the pods and inspecting the image tag:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx -o jsonpath='{..image}'Affected Versions:
ingress-nginx< v1.13.7ingress-nginx< v1.14.3
Immediate Mitigation
Upgrade Immediately. The only complete fix is to upgrade your controller to a patched version.
- Fixed Version: v1.13.7
- Fixed Version: v1.14.3
Refer to the official Upgrading Ingress-Nginx documentation for the correct procedure.
Temporary Workaround:
If an immediate upgrade is not possible, you can mitigate the risk by using a Validating Admission Controller. Configure it to reject any Ingress resource that uses the ImplementationSpecific path type or contains suspicious characters in the path field. However, this is a stopgap measure, not a fix.
Conclusion
Ingress controllers are the gateway to your cluster, making them a high-value target. With the project scheduled for retirement in March 2026, maintaining the security of this component is more critical than ever. Patch now.
To further enhance your cloud security and implement Zero Trust, contact me on LinkedIn Profile or [email protected]
Frequently Asked Questions (FAQ)
What is CVE-2026-24512?
CVE-2026-24512 is a critical configuration injection vulnerability in Ingress-NGINX (CVSS 8.8) that allows attackers to inject NGINX directives via the path field.
What is the impact of this vulnerability?
Exploitation allows for the execution of arbitrary code (RCE) within the ingress-nginx controller's context, potentially leading to full cluster takeover and data exfiltration.
Which versions of Ingress-NGINX are affected?
You are vulnerable if you are running ingress-nginx versions prior to v1.13.7 or versions prior to v1.14.3.
How do I fix this issue?
The only complete fix is to upgrade your controller immediately to patched versions v1.13.7 or v1.14.3 following official documentation.
Is there a temporary workaround?
Yes, you can use a Validating Admission Controller to reject Ingress resources with specific path types or suspicious characters, but this is only a stopgap measure.
Resources
- Official Kubernetes Security Advisory: https://discuss.kubernetes.io/t/security-advisory-multiple-issues-in-ingress-nginx/34115
