CVE-2026-24513
Unknown Unknown - Not Provided
Authentication Bypass in ingress-nginx via Misconfigured Custom-Errors Backend

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Kubernetes

Description
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ingress-nginx ingress-nginx *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ingress-nginx where the protection provided by the `auth-url` Ingress annotation may fail under certain misconfigurations.

Specifically, if the ingress-nginx controller is set up with a default custom-errors configuration that includes HTTP errors 401 or 403, and the backend handling these errors is defective and does not respect the X-Code HTTP header, then an Ingress resource using the `auth-url` annotation might be accessed even if authentication fails.

This issue only occurs if an administrator configures ingress-nginx with a broken external component for handling custom errors; the built-in custom-errors backend does not have this problem.

Impact Analysis

This vulnerability can allow unauthorized access to resources protected by the `auth-url` annotation in ingress-nginx if the system is misconfigured with a defective custom-errors backend.

Such unauthorized access could lead to exposure of sensitive information or services that were intended to be restricted by authentication.

However, the impact is limited by the requirement of a specific misconfiguration and the use of a broken external component, and the CVSS score indicates a low severity with limited confidentiality impact.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, ensure that the ingress-nginx controller is not configured with a defective custom-errors backend that fails to respect the X-Code HTTP header.

Use the built-in custom-errors backend instead of a custom or external one, as the built-in backend works correctly and does not allow bypassing authentication.

Avoid configuring ingress-nginx with a default custom-errors configuration that includes HTTP errors 401 or 403 pointing to a broken external component.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart