CVE-2026-24512 — Improper Input Validation in Kubernetes Ingress-nginx

CWE-20 — Improper Input Validation6 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 76.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Ingress-nginx K8s.io Ingress-nginx

Timeline

PublishedFeb 3

Latest updateFeb 5

Description

A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Gok8s.io/ingress-nginx1.14.0 — 1.14.3+1

▶CVEListV5kubernetes/ingress-nginx< 1.13.7+1

🔴Vulnerability Details

OSV

ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx in k8s.io/ingress-nginx↗2026-02-05

▶

OSV

ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx↗2026-02-04

▶

GHSA

ingress-nginx's `rules.http.paths.path` Ingress field can be used to inject configuration into nginx↗2026-02-04

▶

CVEList

ingress-nginx auth-method nginx configuration injection↗2026-02-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24512 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶