Primary

Context

ingress-nginx Nginx Configuration Injection Vulnerability Leading to Code Execution and Secret Disclosure

Vulnerability

Patched

A vulnerability exists in ingress-nginx versions prior to 1.13.9, 1.14.5, and 1.15.1. It allows the injection of Nginx configuration through specific Ingress annotations. This injection can result in arbitrary code execution within the ingress-nginx controller and the unauthorized disclosure of Secrets that the controller can access. By default, the ingress-nginx controller has access to all Secrets across the cluster.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution in the context of the ingress-nginx controller and the unauthorized disclosure of cluster-wide Secrets accessible to the controller.

Remediation

Users can upgrade to ingress-nginx versions 1.13.9, 1.14.5, or 1.15.1. Release builds for these versions are available from the usual distribution channels.

Added: Mar 19, 2026, 10:18 PM

Updated: Mar 19, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

7.5

exploitability

4.5

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

7.5

exploitability

4.5

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ingress-nginx Nginx Configuration Injection Vulnerability Leading to Code Execution and Secret Disclosure

Vulnerability

Impact

Remediation

Affected Products

kubernetes-ingress-nginx

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating