Arbitrary Code Execution Vulnerability in Ingress Controller by NGINX
CVE-2026-24512

8.8HIGH

Key Information:

Vendor

Kubernetes
Status
Ingress-nginx
Vendor
CVE Published:
3 February 2026

What is CVE-2026-24512?

CVE-2026-24512 is a critical vulnerability found in the ingress-nginx controller, utilized in Kubernetes environments for managing external access to services. This component plays a vital role in routing incoming traffic to the appropriate internal services based on defined rules. The vulnerability arises from the misuse of the rules.http.paths.path field, which can potentially allow an attacker to inject malicious configurations into the nginx controller. This exploitation can lead to arbitrary code execution, which may severely compromise the integrity and confidentiality of the systems involved. Additionally, since the ingress-nginx controller has access to all Secrets within the cluster by default, this vulnerability can also lead to sensitive information being disclosed, heightening the risk to organizational security.

Potential impact of CVE-2026-24512

  1. Arbitrary Code Execution: An attacker exploiting this vulnerability can execute arbitrary code within the context of the ingress-nginx controller. This situation can lead to unauthorized manipulation of the system, enabling further attacks or modifications to operational environments.

  2. Disclosure of Sensitive Secrets: The ingress-nginx controller's default access to cluster-wide secrets means that exploiting this vulnerability may allow attackers to access sensitive data, including API keys and other confidential information, potentially leading to broader security breaches.

  3. Operational Disruptions: The compromise of the ingress-nginx controller can disrupt operational continuity, as malicious configurations may reroute traffic or alter service availability, impacting business processes and potentially leading to service downtime.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ingress-nginx 0

ingress-nginx 0 < 1.13.7

ingress-nginx 0 < 1.14.3

References

https://github.com/kubernetes/kubernetes/issues/136678

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.