CyberLeveling Logo
Ingress NGINX Security Alert

Understanding Ingress NGINX : CVE-2026-1580 and CVE-2026-24512 Explained

Introduction

In early February 2026, two high-severity vulnerabilities were disclosed in the Ingress NGINX controller for Kubernetes: CVE-2026-1580 and CVE-2026-24512.

Both vulnerabilities have a CVSS score of approximately 8.8 (High) and enable configuration injection, which can potentially lead to remote code execution (RCE) and exposure of Kubernetes secrets.

Given the widespread adoption of Ingress NGINX across cloud-native environments, these vulnerabilities pose a significant risk and warrant immediate attention from engineering and security teams.

What Is NGINX?

NGINX is a widely used, high-performance web server and reverse proxy. It is commonly deployed to:

  • Serve web applications
  • Act as a reverse proxy and load balancer
  • Terminate TLS/SSL connections
  • Enforce authentication and access controls

NGINX is a foundational component of modern web infrastructure and is heavily used in cloud and containerized environments.

What Is Ingress NGINX?

Ingress NGINX is a Kubernetes Ingress Controller that uses NGINX to manage external access to services inside a Kubernetes cluster.

Its responsibilities include:

  • Monitoring Kubernetes Ingress resources
  • Translating them into dynamic NGINX configurations
  • Routing inbound traffic to internal services
  • Managing TLS certificates and authentication mechanisms

Because Ingress NGINX typically operates at the edge of the cluster and has access to sensitive configuration data, it is a high-value target for attackers.

Vulnerability Overview

CVE-2026-24512: Ingress Path Configuration Injection

CVE-2026-24512 is caused by improper input validation of the rules.http.paths.path field in Kubernetes Ingress definitions.

An attacker with permission to create or modify Ingress resources can craft a malicious path value that injects unintended NGINX directives into the generated configuration.

Potential impact includes:

  • Arbitrary NGINX configuration injection
  • Remote code execution within the Ingress controller process
  • Access to Kubernetes secrets handled by the controller
  • Possible escalation toward full cluster compromise

Severity: CVSS 8.8 (High)

CVE-2026-1580: Annotation-Based Configuration Injection

CVE-2026-1580 affects how certain authentication-related Ingress annotations are parsed and rendered into NGINX configuration files.

Due to insufficient sanitization, specially crafted annotation values may introduce arbitrary directives into the live NGINX configuration.

Potential impact includes:

  • Manipulation of NGINX runtime behavior
  • Remote code execution scenarios
  • Exposure or interception of application traffic
  • Access to sensitive configuration data

Severity: CVSS approximately 8.8 (High)

Who Is Affected?

Organizations are affected if all of the following apply:

  • The Ingress NGINX controller is deployed in the Kubernetes cluster
  • The deployed version is earlier than v1.13.7 or v1.14.3
  • Users, service accounts, or automation systems can create or modify Ingress resources

This risk is particularly elevated in environments with:

  • Broad or permissive Kubernetes RBAC policies
  • Multi-tenant clusters
  • CI/CD pipelines that automatically deploy Ingress objects

Even clusters that are not directly exposed to the internet may be vulnerable if an internal actor or compromised workload can manipulate Ingress definitions.

Who Is Not Affected?

The following environments are not impacted:

  • Kubernetes clusters that do not use Ingress NGINX
  • Clusters using alternative ingress solutions such as Traefik, HAProxy Ingress, Cilium Ingress, or Gateway API-based controllers

Impact and Risk Considerations

Successful exploitation of these vulnerabilities may allow attackers to:

  • Execute code within the Ingress controller pod
  • Access TLS private keys and Kubernetes secrets
  • Intercept or manipulate inbound application traffic
  • Establish a foothold for deeper lateral movement within the cluster

Given the privileged role Ingress NGINX often plays, exploitation can result in high-impact security incidents.

Mitigation and Recommendations

To reduce risk, organizations should:

  • Upgrade Ingress NGINX to v1.13.7, v1.14.3, or later immediately
  • Restrict Kubernetes RBAC permissions related to Ingress creation and modification
  • Limit annotation usage to trusted workloads and teams
  • Monitor for unexpected or unauthorized changes to Ingress resources

Key Takeaways

  • CVE-2026-1580 and CVE-2026-24512 are high-severity vulnerabilities affecting Ingress NGINX
  • Both enable configuration injection with the potential for remote code execution
  • Any organization running unpatched Ingress NGINX should treat this as an urgent issue
  • Prompt patching and RBAC hardening significantly reduce exposure