A high-severity vulnerability has been discovered in the Kubernetes ingress-nginx controller, allowing attackers to execute arbitrary code and potentially compromise entire clusters.
Tracked as CVE-2026-24512, this high-severity flaw enables malicious actors to inject configuration directives through the ingress controller and gain unauthorized access to cluster secrets.
Vulnerability Overview
CVE-2026-24512 affects the ingress-nginx controller, a widely deployed component used to manage network traffic in Kubernetes environments.
The vulnerability stems from improper input validation in the rules.http.paths.path Ingress field, which can be exploited to inject a malicious configuration into nginx.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-24512 |
| CVSS Score | 8.8 (High) |
| Attack Vector | Network (AV:N) |
When successfully exploited, attackers can execute arbitrary code within the context of the ingress-nginx controller and access secrets that the controller can read.
In default installations, the ingress-nginx controller typically has cluster-wide access to all Kubernetes secrets, making this vulnerability particularly dangerous.
A successful attack could result in complete cluster compromise, enabling threat actors to steal sensitive credentials, manipulate workloads, and establish persistent access to the infrastructure.
Affected Versions and CVSS Score
This vulnerability has been assigned a CVSS v3.1 score of 8.8 (High), reflecting its significant risk to Kubernetes deployments.
The scoring breakdown indicates a network-based attack vector, low attack complexity, a requirement for low privileges, and high impact on confidentiality, integrity, and availability.
The following ingress-nginx versions are affected:
- All versions below v1.13.7
- All versions below v1.14.3
Organizations running any version of ingress-nginx before these patched releases should consider themselves vulnerable and take immediate action.
The Kubernetes security response committee has released patched versions to address this vulnerability.
Organizations must upgrade to ingress-nginx v1.13.7, v1.14.3, or a later version to remediate the flaw fully.
The ingress-nginx maintainers have published detailed upgrade documentation to guide administrators through the patching process.
Security teams should monitor their Kubernetes environments for signs of exploitation. Suspicious indicators include unusual or malformed data within the rules.http.paths.path field of Ingress resources.
Organizations should review existing Ingress objects for anomalous path values that contain special characters, escape sequences, or nginx configuration directives.
Administrators can verify if their clusters run ingress-nginx by executing the command: kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx.
If ingress-nginx pods are present, immediate action should be taken to assess vulnerability status and apply patches.
This vulnerability disclosure comes as the Kubernetes community has announced plans to retire the ingress-nginx project.
Maintenance will cease in March 2026, after which no further security updates or bug fixes will be provided.
Organizations using ingress-nginx should begin planning migration to alternative ingress controllers to ensure continued security and support.
The retirement decision follows a series of critical vulnerabilities discovered in ingress-nginx throughout 2025, including the IngressNightmare vulnerability chain (CVE-2025-1974 and related issues).
These security incidents highlighted the challenges of maintaining the widely deployed but complex ingress controller.
Organizations should prioritize upgrading to the patched versions immediately while simultaneously evaluating long-term alternatives to ingress-nginx before the March 2026 retirement deadline.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.