Denial-of-Service Vulnerability in NGINX Ingress Controller by F5 Networks
CVE-2026-52865

7.1HIGH

Key Information:

Vendor

F5

Vendor
CVE Published:
15 July 2026

What is CVE-2026-52865?

An authenticated, remote attacker who possesses write access to Ingress or TransportServer resources can exploit a vulnerability in the NGINX Ingress Controller. By crafting a malformed Ingress or TransportServer resource, the attacker can cause the controller's process to terminate, leading to a persistent crash loop. This results in a denial-of-service condition affecting the control plane of the NGINX Ingress Controller, impacting its stability and availability without exposing any data plane vulnerabilities.

Affected Version(s)

NGINX Ingress Controller 5.0.0 < 5.5.2

NGINX Ingress Controller 2026-lts-r1 < 2026-lts-r3

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
.