CVE-2026-1580 – This vulnerability in ingress-nginx allows atta... (How to Fix)

Q: What is the severity of CVE-2026-1580?

CVE-2026-1580 has a CVSS score of 8.8 (HIGH). This vulnerability in ingress-nginx allows attackers to inject malicious configuration via the auth-method annotation, leading to arbitrary code execution within the controller pod. This could result in full cluster compromise since the controller typically has access to all cluster Secrets. All Kubernetes clusters using vulnerable ingress-nginx versions are affected.

📋 TL;DR

This vulnerability in ingress-nginx allows attackers to inject malicious configuration via the auth-method annotation, leading to arbitrary code execution within the controller pod. This could result in full cluster compromise since the controller typically has access to all cluster Secrets. All Kubernetes clusters using vulnerable ingress-nginx versions are affected.

💻 Affected Systems

Products:

ingress-nginx

Versions: All versions before the fix (specific version TBD - check GitHub issue)

Operating Systems: All platforms running Kubernetes

Default Config Vulnerable: ⚠️ Yes

Notes: Default installations where ingress-nginx controller has cluster-wide Secret access are most vulnerable. Requires ability to create/modify Ingress resources with annotations.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full cluster compromise with attacker gaining control of ingress-nginx controller, accessing all cluster Secrets, and potentially pivoting to other workloads.

🟠

Likely Case

Attacker executes arbitrary commands in controller context, steals sensitive Secrets, and potentially deploys malicious workloads.

🟢

If Mitigated

Limited impact if proper network policies, RBAC restrictions, and admission controllers prevent annotation injection.

🌐 Internet-Facing: HIGH - Ingress controllers are internet-facing by design, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with Ingress creation/modification permissions could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires permissions to create or modify Ingress resources. Exploitation involves crafting malicious auth-method annotation values.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for specific fixed version

Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/136677

Restart Required: Yes

Instructions:

1. Check current ingress-nginx version. 2. Update to patched version via Helm or YAML manifests. 3. Restart ingress-nginx controller pods. 4. Verify annotation validation is working.

🔧 Temporary Workarounds

Restrict Ingress Creation

all

Use Kubernetes RBAC to restrict who can create/modify Ingress resources with annotations

kubectl create role ingress-creator --verb=create,update --resource=ingresses --namespace=production
kubectl create rolebinding restricted-ingress --role=ingress-creator --user=trusted-user --namespace=production

Use Admission Controller

all

Deploy OPA/Gatekeeper or Kyverno to validate Ingress annotations and reject malicious auth-method values

# Example Gatekeeper constraint template for ingress-nginx annotations
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8singressannotations
spec:
  crd:
    spec:
      names:
        kind: K8sIngressAnnotations
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8singressannotations
        violation[{"msg": msg}] {
          input.review.object.kind == "Ingress"
          input.review.object.metadata.annotations["nginx.ingress.kubernetes.io/auth-method"]
          msg := "auth-method annotation is restricted"
        }

🧯 If You Can't Patch

Implement strict RBAC controls to limit who can create/modify Ingress resources
Deploy network policies to restrict ingress-nginx controller pod egress and limit blast radius

🔍 How to Verify

Check if Vulnerable:

Check if you can create an Ingress with nginx.ingress.kubernetes.io/auth-method annotation containing malicious configuration

Check Version:

kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}'

Verify Fix Applied:

Attempt to create Ingress with malicious auth-method annotation - should be rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual nginx configuration errors in ingress-nginx logs
Unexpected processes running in ingress-nginx pods
Suspicious outbound connections from controller pods

Network Indicators:

Unusual outbound traffic from ingress-nginx controller pods
Connections to unexpected external endpoints

SIEM Query:

source="kubernetes" pod_name="ingress-nginx-*" ("auth-method" OR "nginx.ingress.kubernetes.io") | stats count by user, namespace

📊 Metadata

CVE ID: CVE-2026-1580

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.11% exploit probability (28.9th percentile)

Published: February 3, 2026

Last Updated: February 4, 2026

🔗 References

https://github.com/kubernetes/kubernetes/issues/136677

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1580, you might also want to check these: