CVE-2026-3288
Received Received - Intake
Ingress Annotation Injection in ingress-nginx Leading to RCE and Secret Disclosure

Publication date: 2026-03-09

Last updated on: 2026-05-06

Assigner: Kubernetes

Description
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-03-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3288
EUVD
EUVD-2026-10360
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kubernetes ingress-nginx to 1.13.8 (exc)
kubernetes ingress-nginx From 1.14.0 (inc) to 1.14.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect if your system is affected by checking for ingress-nginx pods running in your Kubernetes cluster using the command: `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.

To detect exploitation attempts, monitor the `http.paths.path` field of Ingress resources for suspicious data that may indicate attempts to inject arbitrary nginx configuration.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation before upgrading involves using admission control mechanisms to block the use of the `nginx.ingress.kubernetes.io/rewrite-target` annotation.

The recommended fix is to upgrade ingress-nginx to versions 1.13.8, 1.14.4, 1.15.0, or later, following the official upgrade documentation.


Can you explain this vulnerability to me?

CVE-2026-3288 is a high-severity security vulnerability in the ingress-nginx Kubernetes controller. It arises from the misuse of the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation, which allows an attacker to inject arbitrary nginx configuration into the ingress-nginx controller.

This injection can lead to arbitrary code execution within the context of the ingress-nginx controller and unauthorized disclosure of Kubernetes Secrets accessible to the controller.

By default, the ingress-nginx controller has cluster-wide access to all Secrets, which amplifies the impact of this vulnerability.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to execute arbitrary code within the ingress-nginx controller, potentially taking control of the controller's operations."}, {'type': 'paragraph', 'content': 'Additionally, it can lead to the unauthorized disclosure of Kubernetes Secrets that the ingress-nginx controller can access, which by default includes all Secrets cluster-wide.'}, {'type': 'paragraph', 'content': 'Such access can compromise sensitive information and affect the security and integrity of your Kubernetes cluster.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart