NGINX Ingress Controller Injection Vulnerability Allowing Arbitrary Configuration Directives

Vulnerability

An injection vulnerability has been identified in the NGINX Ingress Controller, specifically in versions 3.6.0 to 3.7.2, 4.0.0 to 4.0.1, and 5.0.0 to 5.5.1. When the controller is used with Custom Resource Definitions (CRDs) or Ingress annotations, multiple user-controllable fields can be written into the generated NGINX configuration without proper sanitization. This flaw allows an authenticated attacker with permission to create or modify these CRDs or annotations to inject arbitrary NGINX configuration directives. The vulnerability is a control plane issue, with no exposure in the data plane.

Impact

Exploitation of this vulnerability could enable an authenticated attacker with write access to NGINX Ingress Controller CRDs or Ingress annotations to inject arbitrary NGINX configuration directives, potentially leading to unauthorized file creation or deletion, or disruption of services.

Remediation

To address this vulnerability, users should upgrade to NGINX Ingress Controller version 5.5.2. For versions 4.x and 3.x, no specific update is available, but users are advised to upgrade to a version with the fix. Additionally, it is recommended to restrict Kubernetes Role-based Access Control (RBAC) permissions on Ingress resources to trusted cluster administrators only, and to deploy an admission policy that rejects resources with special characters in user-controlled fields.

Added: Jul 15, 2026, 3:42 PM
Updated: Jul 15, 2026, 3:42 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
5.8
exploitability
5.4
remediation
7.9
relevance
9.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.