Critical ingress-nginx flaws enable NGINX config injection, RCE, and admission-controller DoS
Kubernetes maintainers disclosed multiple vulnerabilities in ingress-nginx affecting versions < 1.13.7 and < 1.14.3, including NGINX configuration injection paths that can lead to arbitrary code execution in the ingress-nginx controller context and Secrets disclosure. CVE-2026-24512 allows injection via the Ingress rules.http.paths.path field, and CVE-2026-1580 allows injection via the nginx.ingress.kubernetes.io/auth-method annotation; both are rated CVSS 8.8 and are especially high impact in default deployments where the controller can read Secrets cluster-wide. Recommended mitigations include upgrading to v1.13.7, v1.14.3, or later, and (as a temporary control) using validating admission policies to reject risky constructs such as ImplementationSpecific path types or the auth-method annotation.
A separate ingress-nginx issue, CVE-2026-24514 (CVSS 6.5), affects the validating admission controller feature and enables denial of service by sending oversized requests that drive memory consumption, potentially killing the controller pod or exhausting node memory. Detection guidance includes monitoring for unusually large requests (multi-megabyte) to the admission controller and suspicious payloads in rules.http.paths.path or the nginx.ingress.kubernetes.io/auth-method annotation. One referenced item describing CVE-2025-67601 in the Rancher CLI (credential/TLS handling weakness involving --skip-verify) is a different product and vulnerability and is not part of the ingress-nginx disclosures.
Timeline
Feb 6, 2026
Kubernetes discloses ingress-nginx auth-proxy-set-headers injection (CVE-2025-15566)
Kubernetes published a product advisory for CVE-2025-15566, another ingress-nginx nginx configuration injection flaw tied to auth-proxy-set-headers. This expanded the publicly disclosed set of ingress-nginx configuration injection issues.
Feb 4, 2026
Public reporting details RCE risk and mitigations for CVE-2026-24512
Reporting on CVE-2026-24512 explained that authenticated attackers could inject malicious NGINX configuration through an Ingress resource, potentially achieving arbitrary code execution and accessing Secrets available to the ingress-nginx controller. The Kubernetes security response committee recommended upgrading to fixed releases 1.13.7, 1.14.3, or later, or temporarily blocking ImplementationSpecific path usage with a validating admission controller.
Feb 2, 2026
Kubernetes discloses ingress-nginx admission controller DoS (CVE-2026-24514)
Kubernetes published a product advisory for CVE-2026-24514, describing a denial-of-service vulnerability in the ingress-nginx Admission Controller. The disclosure added a separate availability-impacting issue to the ingress-nginx vulnerability set.
Feb 2, 2026
Kubernetes discloses ingress-nginx path config injection (CVE-2026-24512)
Kubernetes published a product advisory for CVE-2026-24512 affecting ingress-nginx, where the rules.http.paths.path field can be abused for nginx configuration injection. Later reporting said this could lead to arbitrary code execution and access to Kubernetes Secrets readable by the controller.
Feb 2, 2026
Kubernetes discloses ingress-nginx auth-method config injection (CVE-2026-1580)
Kubernetes published a product advisory for CVE-2026-1580, an ingress-nginx nginx configuration injection issue involving the auth-method feature. The advisory made the vulnerability publicly known.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Arbitrary Code Execution Flaw in Kubernetes ingress-nginx Requires Immediate Patching
Belgium's Centre for Cybersecurity warned organizations to patch **Kubernetes ingress-nginx** immediately after disclosure of an arbitrary code execution issue affecting the widely used NGINX Ingress Controller. The flaw, tracked as **`CVE-2026-3288`**, is a high-severity configuration injection vulnerability that lets an authenticated user with permission to create or modify Ingress resources inject arbitrary **nginx** directives through a crafted double quote in the Ingress path field, potentially leading to remote code execution and exposure of secrets accessible to the controller. Sysdig reported that **`CVE-2026-3288`** was fixed on March 9, 2026 and stemmed from an incomplete remediation of the related **`CVE-2026-24512`**. According to the company, sanitization had been added to one code path but omitted from another, while built-in validation relied on an incomplete blocklist that attackers could bypass with payloads such as `return` directives. Affected releases include ingress-nginx versions before **`v1.13.8`**, **`v1.14.4`**, and **`v1.15.0`**; defenders were urged to upgrade, tighten **RBAC** permissions for Ingress changes, and monitor Kubernetes audit logs for signs of exploitation.
1 weeks ago
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
1 months ago
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago