CVE-2026-4342
published 2026-03-19CVE-2026-4342: A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to…
PriorityP359high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.49%
70.9th percentile
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| k8s.io | ingress-nginx | >= 0 < 0.0.0-20260319175635-5183b7d86137 | 0.0.0-20260319175635-5183b7d86137 |
| kubernetes | ingress-nginx | < 1.13.9 | 1.13.9 |
| kubernetes | ingress-nginx | < 1.14.5 | 1.14.5 |
| kubernetes | ingress-nginx | < 1.15.1 | 1.15.1 |
| kubernetes | nginx_ingress_controller | < 1.13.9 | 1.13.9 |
| kubernetes | nginx_ingress_controller | — | — |
| kubernetes | nginx_ingress_controller | >= 1.14.0 < 1.14.5 | 1.14.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Kubernetes up to 1.13.8/1.14.4/1.15.0 ingress-nginx input validation (Issue 137893 / WID-SEC-2026-0801)
vuldb·2026-05-20·CVSS 8.8
CVE-2026-4342 [HIGH] Kubernetes up to 1.13.8/1.14.4/1.15.0 ingress-nginx input validation (Issue 137893 / WID-SEC-2026-0801)
A vulnerability identified as very critical has been detected in Kubernetes up to 1.13.8/1.14.4/1.15.0. This issue affects some unknown processing of the component ingress-nginx. Performing a manipulation results in improper input validation.
This vulnerability is reported as CVE-2026-4342. The attack is possible to be carried out remotely. No exploit exists.
You should upgrade the affected component.
OSV
ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx
osv·2026-03-23
CVE-2026-4342 ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx
ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx
ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx
OSV
ingress-nginx comment-based nginx configuration injection
osv·2026-03-20
CVE-2026-4342 [HIGH] ingress-nginx comment-based nginx configuration injection
ingress-nginx comment-based nginx configuration injection
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
GHSA
ingress-nginx comment-based nginx configuration injection
ghsa·2026-03-20
CVE-2026-4342 [HIGH] CWE-20 ingress-nginx comment-based nginx configuration injection
ingress-nginx comment-based nginx configuration injection
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
Wiz
CVE-2026-24512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24512 [HIGH] CVE-2026-24512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24512 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
rules.http.paths.path
Source : NVD
## 8.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.8
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ingress-nginx-controller-1.14
k8s.io/ingress-nginx
Sources
GoLang Severity HIGH Has Fix Added at: Feb 08, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 08, 2026
Linux Severity HIGH Has Fix Added at: Feb 03, 2026
Windows Severity HIGH Has Fix Added
Wiz
CVE-2026-3288 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-3288 [HIGH] CVE-2026-3288 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3288 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/rewrite-target
Source : NVD
## 8.8
Score
Published March 9, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
Sources
Linux Severity HIGH Has Fix Added at: Mar 10, 2026
Windows Severity HIGH Has Fix Added at: Mar 10, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-15566 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15566 [HIGH] CVE-2025-15566 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15566 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/auth-proxy-set-headers
Source : NVD
## 8.8
Score
Published February 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
Sources
NVD
Linux Severity HIGH Has Fix Added at: Feb 08, 2026
Windows Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitabl
Wiz
CVE-2026-24513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24513 [HIGH] CVE-2026-24513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24513 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
auth-url
auth-url
Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
Source : NVD
## 3.1
Score
Published February 3, 2026
Severity LOW
CNA Score 3.1
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
k8s.io/ingress-nginx
Sources
GoLang Seve
Wiz
CVE-2026-24514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24514 [HIGH] CVE-2026-24514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24514 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.
Source : NVD
## 6.5
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.5
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-4342 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-4342 [HIGH] CVE-2026-4342 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4342 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Source : NVD
## 8.8
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Ingress NGINX Controller (community-driven)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Pr
Wiz
CVE-2026-1580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-1580 [HIGH] CVE-2026-1580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1580 :
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
nginx.ingress.kubernetes.io/auth-method
Source : NVD
## 8.8
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.8
High-profile Vulnerability Yes
Affected Technologies
Ingress NGINX Controller (community-driven)
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kubernetes:ingress-nginx
k8s.io/ingress-nginx
Sources
GoLang Severity HIGH Has Fix Added at: Feb 08, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 08, 2026
Linux Severity HIGH Has Fix Added at: Feb 03, 2026
Windows Severit
2026-03-19
Published