Hello Kubernetes Community,
A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
This issue has been rated HIGH (CVSS calculator, score: 8.8), and assigned CVE-2026-3288
Am I vulnerable?
This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx.
Affected Versions
- ingress-nginx: < 1.13.8
- ingress-nginx: < 1.14.4
- ingress-nginx: < 1.15.0
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by using admission control to block the use of the rewrite-target annotation.
Fixed Versions
- ingress-nginx: 1.13.8
- ingress-nginx: 1.14.4
- ingress-nginx: 1.15.0
How to upgrade?
To upgrade, refer to the documentation: Upgrading Ingress-nginx
Detection
Suspicious data within the rules.http.paths.path field of an Ingress resource could indicate an attempt to exploit this vulnerability.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/137560
Acknowledgements
This vulnerability was reported by Kai Aizen
Thank You,
Tabitha Sable on behalf of the Kubernetes Security Response Committee