CVE-2026-4342 — Improper Input Validation in Kubernetes Ingress-nginx

CWE-20 — Improper Input Validation6 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 88.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Ingress-nginx K8s.io Ingress-nginx

Timeline

PublishedMar 19

Latest updateMar 23

Description

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Gok8s.io/ingress-nginx< 0.0.0-20260319175635-5183b7d86137

▶CVEListV5kubernetes/ingress-nginx< 1.13.9+2

🔴Vulnerability Details

OSV

ingress-nginx comment-based nginx configuration injection in k8s.io/ingress-nginx↗2026-03-23

▶

OSV

ingress-nginx comment-based nginx configuration injection↗2026-03-20

▶

GHSA

ingress-nginx comment-based nginx configuration injection↗2026-03-20

▶

CVEList

ingress-nginx comment-based nginx configuration injection↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4342 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶