[Security Advisory] CVE-2026-4342: ingress-nginx comment-based nginx configuration injection
207 views
Skip to first unread message
Tabitha Sable
Mar 19, 2026, 1:45:28 PM
Mar 19
to kubernete...@googlegroups.com, dev, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io
Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
This issue has been rated **HIGH** ([CVSS calculator]( https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ), score: 8.8), and assigned **CVE-2026-4342**
### Am I vulnerable?
This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx` .
#### Affected Versions
- ingress-nginx: < v1.13.9
- ingress-nginx: < v1.14.5
- ingress-nginx: < v1.15.1
### How do I mitigate this vulnerability?
#### Fixed Versions
- ingress-nginx: v1.13.9
- ingress-nginx: v1.14.5
- ingress-nginx: v1.15.1
#### How to upgrade?
To upgrade, refer to the documentation: [Upgrading Ingress-nginx]( https://kubernetes.github.io/ingress-nginx/deploy/upgrade/ )
### Detection
Suspicious data within the `rules.http.paths.path` field of an Ingress resource could indicate an attempt to exploit this vulnerability.
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/137893
#### Acknowledgements
This vulnerability was reported by wooseokdotkim.
Thank You,
Tabitha Sable on behalf of the Kubernetes Security Response Committee
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
This issue has been rated **HIGH** ([CVSS calculator]( https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ), score: 8.8), and assigned **CVE-2026-4342**
### Am I vulnerable?
This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx` .
#### Affected Versions
- ingress-nginx: < v1.13.9
- ingress-nginx: < v1.14.5
- ingress-nginx: < v1.15.1
### How do I mitigate this vulnerability?
#### Fixed Versions
- ingress-nginx: v1.13.9
- ingress-nginx: v1.14.5
- ingress-nginx: v1.15.1
#### How to upgrade?
To upgrade, refer to the documentation: [Upgrading Ingress-nginx]( https://kubernetes.github.io/ingress-nginx/deploy/upgrade/ )
### Detection
Suspicious data within the `rules.http.paths.path` field of an Ingress resource could indicate an attempt to exploit this vulnerability.
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/137893
#### Acknowledgements
This vulnerability was reported by wooseokdotkim.
Thank You,
Tabitha Sable on behalf of the Kubernetes Security Response Committee
Reply all
Reply to author
Forward
Search
Clear search
Close search
Google apps
Main menu
