Volerion logoVolerion
Volerion logoVolerion

ingress-nginx NGINX Configuration Injection Vulnerability via auth-method Annotation

Vulnerability

A vulnerability exists in ingress-nginx versions prior to 1.13.7 and 1.14.3, allowing the `nginx.ingress.kubernetes.io/auth-method` annotation to inject arbitrary configuration into NGINX. This injection could lead to arbitrary code execution within the context of the ingress-nginx controller and allow unauthorized access to Secrets that the controller can access cluster-wide.

Impact

Exploitation of this vulnerability could result in arbitrary code execution in the context of the ingress-nginx controller and unauthorized disclosure of cluster-wide Secrets accessible to the controller.

Remediation

Users can upgrade ingress-nginx to version 1.13.7, 1.14.3, or any later version. If an immediate upgrade is not possible, this vulnerability can be temporarily mitigated by using a validating admission controller to reject Ingress resources that include the `nginx.ingress.kubernetes.io/auth-method` annotation.

Added: Feb 3, 2026, 11:23 PM
Updated: Feb 3, 2026, 11:23 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
7.5
exploitability
6.3
remediation
7.9
relevance
2.6
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.