Latest Kubernetes Ingress-NGINX Controller vulnerabilities #
Today, in a message from the Kubernetes Security Response Committee (SRC), users were notified of four vulnerabilities, which, if left exposed and unpatched, could be exploited to achieve remote code execution by unauthenticated attackers.
What's the impact? #
Three of the vulnerabilities relate to validation and sanitation of user-controlled fields (CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514). Out of the three, CVE-2026-24513 is the most concerning, which potentially allows for an attacker to bypass the auth-url annotation if the backend service fails to honor the X-Code HTTP header. In addition, CVE-2026-1580 potentially allows for attackers to inject configuration into NGINX, leading to arbitrary code execution in the context of the Ingress-NGINX controller. Notably, the attack does appear to depend on a clear shot to the admission controller for the Ingress-NGINX controller, which itself is an optional component that allows for Kubernetes-homed services to be reached from the wider network.
Finally, it’s important to note that the very similarly-named NGINX Ingress controller is not affected by these Ingress-NGINX controller vulnerabilities.
Are updates or workarounds available? #
Users are advised to update to version 1.13.7, 1.14.3, or any later version as quickly as possible.
How to find potentially vulnerable Ingress-Nginx services with runZero #
From the Services Inventory, use the following query to locate potentially vulnerable systems:
(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")
