CVE-2026-4342
Ingress-NGINX Annotation Injection Enables Remote Code Execution
Publication date: 2026-03-19
Last updated on: 2026-05-19
Assigner: Kubernetes
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kubernetes | nginx_ingress_controller | to 1.13.9 (exc) |
| kubernetes | nginx_ingress_controller | From 1.14.0 (inc) to 1.14.5 (exc) |
| kubernetes | nginx_ingress_controller | 1.15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ingress-nginx where certain combinations of Ingress annotations allow an attacker to inject configuration into nginx.
This injection can lead to arbitrary code execution within the ingress-nginx controller.
Additionally, it can cause disclosure of Secrets that the controller has access to, which by default includes all Secrets cluster-wide.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary code in the context of the ingress-nginx controller.
It can also lead to unauthorized disclosure of sensitive Secrets accessible to the controller.
Since the controller can access all Secrets cluster-wide by default, this could compromise sensitive data and control over the cluster.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know