CVE-2026-3288
📋 TL;DR
This CVE describes a vulnerability in ingress-nginx where attackers can exploit the rewrite-target annotation to inject malicious nginx configuration. This allows arbitrary code execution within the ingress-nginx controller and disclosure of all cluster-wide Secrets accessible to the controller. Any Kubernetes cluster using ingress-nginx with the vulnerable annotation is affected.
💻 Affected Systems
- ingress-nginx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise: attacker gains control of ingress-nginx controller, accesses all cluster Secrets, executes arbitrary code, and potentially pivots to other cluster resources.
Likely Case
Secret disclosure and limited code execution: attacker extracts sensitive Secrets (credentials, tokens, certificates) and executes commands within the ingress-nginx controller pod.
If Mitigated
Limited impact if proper network policies, RBAC restrictions, and namespace segregation prevent lateral movement and Secret access.
🎯 Exploit Status
Exploitation requires ability to create or modify Ingress resources with the vulnerable annotation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check upstream ingress-nginx releases for specific version
Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/137560
Restart Required: Yes
Instructions:
1. Update ingress-nginx controller to patched version. 2. Delete and recreate existing Ingress resources to clear any malicious configurations. 3. Rotate all potentially exposed Secrets.
🔧 Temporary Workarounds
Restrict Ingress creation
allUse RBAC to restrict who can create or modify Ingress resources with rewrite-target annotation
kubectl create clusterrole no-rewrite-ingress --verb=create,update,patch --resource=ingresses --resource-name=nginx.ingress.kubernetes.io/rewrite-target
kubectl create clusterrolebinding restrict-rewrite --clusterrole=no-rewrite-ingress --user=attacker
Disable rewrite-target annotation
allConfigure ingress-nginx to ignore or validate rewrite-target annotations
Add --disable-annotations=nginx.ingress.kubernetes.io/rewrite-target to ingress-nginx controller args
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can create/modify Ingress resources
- Apply network policies to restrict ingress-nginx controller pod network access
🔍 How to Verify
Check if Vulnerable:
Check if ingress-nginx controller version is before the patched release and if any Ingress resources use rewrite-target annotationCheck Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Verify ingress-nginx controller is updated to patched version and test that rewrite-target injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual nginx configuration changes in ingress-nginx logs
- Unexpected processes running in ingress-nginx controller pod
Network Indicators:
- Unexpected outbound connections from ingress-nginx controller
- Suspicious requests to Kubernetes API from ingress-nginx
SIEM Query:
source="ingress-nginx" AND ("rewrite-target" OR "configuration injection")