CVE-2026-24512
📋 TL;DR
This CVE describes a configuration injection vulnerability in ingress-nginx where attackers can inject malicious nginx configuration through the `rules.http.paths.path` field. This allows arbitrary code execution within the ingress-nginx controller and disclosure of all cluster-wide Secrets in default installations. All Kubernetes clusters using ingress-nginx are affected.
💻 Affected Systems
- ingress-nginx
- Kubernetes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise via arbitrary code execution as ingress-nginx controller, leading to complete Secret disclosure, lateral movement, and resource hijacking.
Likely Case
Unauthorized access to sensitive Secrets and potential privilege escalation within the cluster.
If Mitigated
Limited impact if proper network policies, RBAC restrictions, and admission controllers are in place to restrict ingress-nginx permissions.
🎯 Exploit Status
Exploitation requires authenticated access to create/modify Ingress resources. The vulnerability is straightforward to exploit once an attacker gains appropriate permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Kubernetes/ingress-nginx security advisories for specific patched versions
Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/136678
Restart Required: Yes
Instructions:
1. Update ingress-nginx to the latest patched version. 2. Update Kubernetes to a version that includes the fix. 3. Restart ingress-nginx controller pods. 4. Validate the fix by testing path injection attempts.
🔧 Temporary Workarounds
Restrict Ingress Creation Permissions
allLimit who can create or modify Ingress resources using RBAC to reduce attack surface
kubectl create rolebinding restricted-ingress --clusterrole=edit --user=trusted-user --namespace=production
Implement Admission Controller Validation
allUse OPA Gatekeeper or Kyverno to validate Ingress paths and reject malicious configurations
# Example OPA Gatekeeper constraint for path validation
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ingress-path-validation
spec:
match:
kinds:
- apiGroups: ["networking.k8s.io"]
kinds: ["Ingress"]
parameters:
labels:
- key: "path-validation"
allowedRegex: "^/[a-zA-Z0-9\-._~!$&'()*+,;=:@]+$"
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create/modify Ingress resources
- Deploy network policies to restrict ingress-nginx controller's network access and reduce lateral movement potential
🔍 How to Verify
Check if Vulnerable:
Test if you can create an Ingress with a path containing nginx configuration directives like `~*` or `proxy_pass`Check Version:
kubectl describe deployment ingress-nginx-controller -n ingress-nginx | grep ImageVerify Fix Applied:
Attempt to create a malicious Ingress with nginx directives in the path field - it should be rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual nginx configuration reloads
- Ingress resources with suspicious path patterns containing nginx directives
- Failed attempts to inject configuration
Network Indicators:
- Unexpected outbound connections from ingress-nginx pods
- Unusual access patterns to Kubernetes API server from ingress-nginx
SIEM Query:
source="kubernetes" AND ("ingress" AND ("path" CONTAINS "proxy_pass" OR "path" CONTAINS "rewrite" OR "path" CONTAINS "~")