NGINX Ingress Controller Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in NGINX Ingress Controller versions 3.6.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.5.1. When the Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify these resources can cause the Ingress Controller process to terminate. This leads to a persistent crash loop in the control plane, while the malformed resource remains in the cluster. There is no exposure in the data plane; the issue is confined to the control plane.

Impact

Exploitation of this vulnerability causes the NGINX Ingress Controller control plane process to terminate and enter a persistent crash loop, disrupting the availability of the controller while the malformed Ingress or TransportServer resource remains in the cluster.

Remediation

To address this vulnerability, users can upgrade to NGINX Ingress Controller version 5.5.2. If a crash loop is already in progress, the malicious resource can be deleted to restore controller availability.

Added: Jul 15, 2026, 3:45 PM
Updated: Jul 15, 2026, 3:45 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
5.4
remediation
8.3
relevance
9.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.