Latest Kubernetes Ingress-NGINX Controller vulnerabilities #
A configuration injection vulnerability was discovered and fixed in the Kubernetes Ingress-NGINX controller software.
- The vulnerability has been designated CVE-2026-4342 and has been rated high with a CVSS score of 8.8.
The following versions are affected
- Ingress-NGINX controller versions through v1.13.9 (exclusive)
- Ingress-NGINX controller versions through v1.14.5 (exclusive)
- Ingress-NGINX controller versions through v1.15.1 (exclusive)
What is Kubernetes Ingress-NGINX? #
Kubernetes Ingress-NGINX controller provides reverse proxy and load balancing to Kubernetes services, providing an HTTP/HTTPS gateway to cluster resources.
What's the impact? #
Successful exploitation could lead to arbitrary code execution in the context of the Ingress-NGINX controller, as well as disclosure of secrets accessible to the controller. The Ingress-NGINX controller can access all cluster-wide secrets in its default configuration.
Are updates or workarounds available? #
Users are encouraged to update to versions 1.13.9, 1.14.5, 1.15.1 or a later version.
How to find potentially vulnerable Ingress-Nginx services with runZero #
From the Services Inventory, use the following query to locate potentially vulnerable systems:
(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")
February 2026: Kubernetes Ingress-NGINX Controller (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514) #
Today, in a message from the Kubernetes Security Response Committee (SRC), users were notified of four vulnerabilities, which, if left exposed and unpatched, could be exploited to achieve remote code execution by unauthenticated attackers.
What's the impact? #
Three of the vulnerabilities relate to validation and sanitation of user-controlled fields (CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514). Out of the three, CVE-2026-24513 is the most concerning, which potentially allows for an attacker to bypass the auth-url annotation if the backend service fails to honor the X-Code HTTP header. In addition, CVE-2026-1580 potentially allows for attackers to inject configuration into NGINX, leading to arbitrary code execution in the context of the Ingress-NGINX controller. Notably, the attack does appear to depend on a clear shot to the admission controller for the Ingress-NGINX controller, which itself is an optional component that allows for Kubernetes-homed services to be reached from the wider network.
Finally, it’s important to note that the very similarly-named NGINX Ingress controller is not affected by these Ingress-NGINX controller vulnerabilities.
Are updates or workarounds available? #
Users are advised to update to version 1.13.7, 1.14.3, or any later version as quickly as possible.
How to find potentially vulnerable Ingress-Nginx services with runZero #
From the Services Inventory, use the following query to locate potentially vulnerable systems:
(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")
