CVE-2026-24513
📋 TL;DR
This CVE describes an authentication bypass vulnerability in ingress-nginx when using custom error backends. If administrators configure a defective custom error backend that doesn't respect the X-Code header for 401/403 errors, the auth-url protection can be circumvented. Only deployments with misconfigured external custom error backends are affected.
💻 Affected Systems
- ingress-nginx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could access protected resources behind ingress-nginx with auth-url authentication, potentially exposing sensitive applications or data.
Likely Case
Limited impact since it requires specific administrator misconfiguration with broken external components; most deployments using built-in error handling are unaffected.
If Mitigated
No impact if using built-in custom-errors backend or properly configured external error handlers that respect X-Code headers.
🎯 Exploit Status
Exploitation requires specific misconfiguration by administrators; not a default vulnerability. Attackers would need to discover misconfigured deployments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/136679
Restart Required: No
Instructions:
1. Ensure custom error backends properly handle X-Code HTTP headers. 2. Test custom error configurations with 401/403 responses. 3. Consider using built-in custom-errors backend instead of external components.
🔧 Temporary Workarounds
Use built-in custom errors
linuxRemove custom error backend configuration and use the built-in error handling that works correctly.
kubectl edit configmap ingress-nginx-controller
Remove or comment out custom-http-errors configuration
Fix custom error backend
allEnsure your custom error backend properly respects and forwards X-Code HTTP headers for 401/403 responses.
🧯 If You Can't Patch
- Monitor ingress logs for authentication bypass attempts and 401/403 error responses
- Implement additional authentication layers or WAF rules to protect sensitive endpoints
🔍 How to Verify
Check if Vulnerable:
Check if custom-http-errors is configured in ingress-nginx configmap and test if custom backend properly handles X-Code headers for 401/403 responses.Check Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Test authentication endpoints with invalid credentials; verify they return proper 401/403 responses without bypassing to protected content.📡 Detection & Monitoring
Log Indicators:
- 401/403 responses from custom error backends without X-Code header forwarding
- Successful requests to auth-url protected endpoints without proper authentication logs
Network Indicators:
- HTTP 200 responses from endpoints that should require authentication
- Missing authentication headers in requests to protected endpoints
SIEM Query:
ingress_nginx_status>399 AND request_uri CONTAINS '/protected-path' AND NOT auth_header EXISTS