Volerion logoVolerion
Volerion logoVolerion

ingress-nginx Configuration Injection Vulnerability via Rewrite-Target Annotation

Vulnerability

A vulnerability exists in ingress-nginx versions prior to 1.13.8, 1.14.4, and 1.15.0, allowing the `nginx.ingress.kubernetes.io/rewrite-target` annotation to inject arbitrary configuration into nginx. This injection could lead to arbitrary code execution within the ingress-nginx controller and the unauthorized disclosure of Secrets accessible to the controller, which by default can access all cluster-wide Secrets.

Impact

Exploitation of this vulnerability could result in arbitrary code execution in the context of the ingress-nginx controller and the disclosure of cluster-wide Secrets accessible to the controller.

Remediation

Users can upgrade to ingress-nginx versions 1.13.8, 1.14.4, or 1.15.0. For instructions on upgrading, refer to the 'Upgrading Ingress-nginx' documentation. Ingress-nginx users can also use admission control to block the use of the rewrite-target annotation as a temporary mitigation.

Added: Mar 9, 2026, 9:18 PM
Updated: Mar 9, 2026, 9:18 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
10.0
exploitability
5.4
remediation
7.9
relevance
3.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.