CVE-2026-3288NVD

Vulnerability Summary

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Severity Level

HIGH(8.8)

Published Date

Mar 9, 2026

Last Modified

May 6, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.05%Probability

Root Weakness (CWE)

CWE-20: Improper Input Validation ↗

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/kubernetes/kubernetes/issues/137560
http://www.openwall.com/lists/oss-security/2026/03/09/8
https://github.com/bvabhishek/CVE-2026-3288-lab

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-3288NVD

Vulnerability Summary

External References