cbcvebase.
CVE-2026-3288
published 2026-03-09

CVE-2026-3288: A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
6.67%
93.1th percentile
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected

4 ranges
VendorProductVersion rangeFixed in
kubernetesingress-nginx< 1.14.41.14.4
kubernetesingress-nginx< 1.15.01.15.0
kubernetesingress-nginx< 1.13.81.13.8
kubernetesingress-nginx>= 1.14.0 < 1.14.41.14.4

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor Ingress resources for use of the `nginx.ingress.kubernetes.io/rewrite-target` annotation with suspicious or unexpected values that may inject nginx configuration directives.
  • ·In the default ingress-nginx installation, the controller has cluster-wide access to all Secrets, significantly expanding the blast radius of successful exploitation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.