cbcvebase.
CVE-2026-1580
published 2026-02-03

CVE-2026-1580: A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration…

PriorityP357high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.48%
38.1th percentile
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected

4 ranges
VendorProductVersion rangeFixed in
k8s.ioingress-nginx>= 0 < 1.13.71.13.7
k8s.ioingress-nginx>= 1.14.0 < 1.14.31.14.3
kubernetesingress-nginx< 1.13.71.13.7
kubernetesingress-nginx< 1.14.31.14.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.