Injection Vulnerability in NGINX Ingress Controller Affects F5 Networks
CVE-2026-55723

8.7HIGH

Key Information:

Vendor

F5

Vendor
CVE Published:
15 July 2026

What is CVE-2026-55723?

An injection vulnerability exists within the NGINX Ingress Controller when it is utilized with Custom Resource Definitions (CRDs) or Ingress annotations. This issue allows an authenticated attacker with the requisite permissions to manipulate CRDs or annotations via the Kubernetes API. By injecting arbitrary values, the attacker can alter the generated NGINX configuration in unintended ways, potentially enabling unauthorized configuration directives, which may lead to file creation or deletion, as well as service disruptions. Importantly, the risk is confined to control plane operations, presenting significant implications for security management and system integrity.

Affected Version(s)

NGINX Ingress Controller 5.0.0 < 5.5.2

NGINX Ingress Controller 2026-lts-r1 < 2026-lts-r3

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
.