Arbitrary Code Execution Vulnerability in Ingress-Nginx by Kubernetes
CVE-2026-3288

8.8HIGH

Key Information:

Vendor

Kubernetes
Status
Ingress-nginx
Vendor
CVE Published:
9 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-3288?

CVE-2026-3288 is a critical vulnerability identified in the ingress-nginx controller, a component used within Kubernetes environments to manage incoming traffic and route it to the appropriate services. This specific vulnerability arises from the misuse of the nginx.ingress.kubernetes.io/rewrite-target annotation, which can be exploited to inject arbitrary configuration into the nginx application. Such an exploit enables attackers to execute arbitrary code within the context of the ingress-nginx controller, which operates with extensive permissions across the cluster. Consequently, this vulnerability poses a severe risk as it can lead to the exposure of sensitive data, including Secrets that the controller can access across the entire cluster.

Potential impact of CVE-2026-3288

  1. Arbitrary Code Execution: The primary risk associated with this vulnerability is that it allows an attacker to execute arbitrary code within the ingress-nginx controller. This could lead to unauthorized manipulation of traffic, severe disruptions, or the deployment of malicious payloads in the Kubernetes environment.

  2. Data Disclosure: Given that the ingress-nginx controller has access to all Secrets cluster-wide by default, exploitation of this vulnerability could result in the disclosure of sensitive data. This includes access tokens, passwords, and other confidential information critical to the security and operations of the organization.

  3. Increased Attack Surface: The presence of this vulnerability expands the attack surface of Kubernetes installations. Malicious actors could leverage this flaw to gain footholds in targeted infrastructures, escalating privileges and possibly leading to further compromises within the organization's systems, thereby increasing their overall vulnerability to cyberattacks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ingress-nginx 0

ingress-nginx 0 < 1.13.8

ingress-nginx 0 < 1.14.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3288
Created by SnailSploit

References

https://github.com/kubernetes/kubernetes/issues/137560

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kai Aizen
JSON
.