CVE-2026-3288
Received Received - Intake
Ingress Annotation Injection in ingress-nginx Leading to RCE and Secret Disclosure

Publication date: 2026-03-09

Last updated on: 2026-05-06

Assigner: Kubernetes

Description
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3288
EUVD
EUVD-2026-10360
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kubernetes ingress-nginx to 1.13.8 (exc)
kubernetes ingress-nginx From 1.14.0 (inc) to 1.14.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

You can detect if your system is affected by checking for ingress-nginx pods running in your Kubernetes cluster using the command: `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.

To detect exploitation attempts, monitor the `http.paths.path` field of Ingress resources for suspicious data that may indicate attempts to inject arbitrary nginx configuration.

Mitigation Strategies

Immediate mitigation before upgrading involves using admission control mechanisms to block the use of the `nginx.ingress.kubernetes.io/rewrite-target` annotation.

The recommended fix is to upgrade ingress-nginx to versions 1.13.8, 1.14.4, 1.15.0, or later, following the official upgrade documentation.

Executive Summary

CVE-2026-3288 is a high-severity security vulnerability in the ingress-nginx Kubernetes controller. It arises from the misuse of the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation, which allows an attacker to inject arbitrary nginx configuration into the ingress-nginx controller.

This injection can lead to arbitrary code execution within the context of the ingress-nginx controller and unauthorized disclosure of Kubernetes Secrets accessible to the controller.

By default, the ingress-nginx controller has cluster-wide access to all Secrets, which amplifies the impact of this vulnerability.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to execute arbitrary code within the ingress-nginx controller, potentially taking control of the controller's operations."}, {'type': 'paragraph', 'content': 'Additionally, it can lead to the unauthorized disclosure of Kubernetes Secrets that the ingress-nginx controller can access, which by default includes all Secrets cluster-wide.'}, {'type': 'paragraph', 'content': 'Such access can compromise sensitive information and affect the security and integrity of your Kubernetes cluster.'}] [1]

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart