Kubernetes Security Alert: “Ingress-Nginx” Injection Flaw Risks Cluster-Wide Secret Exposure

A critical security vulnerability has been identified in ingress-nginx, the widely used Ingress controller for Kubernetes. Tracked as CVE-2026-3288 with a high-severity CVSS score of 8.8, the flaw centers on how the controller handles specific annotations, potentially allowing attackers to break out of their sandboxes and seize control of sensitive cluster data.

The issue lies within the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation. Security researchers discovered that this annotation can be manipulated to inject malicious configurations directly into the underlying Nginx process.

The consequences of a successful exploit are severe:

• Arbitrary Code Execution: Attackers can execute code within the context of the ingress-nginx controller itself.
• Massive Data Leakage: Because many default installations grant the controller cluster-wide access, an attacker could disclose any Secrets stored across the entire Kubernetes cluster.

This vulnerability specifically affects environments running the ingress-nginx controller. If you are unsure if your cluster is running the affected software, you can verify its presence by executing the following command:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Affected Versions

• ingress-nginx: Versions prior to 1.13.8
• ingress-nginx: Versions prior to 1.14.4
• ingress-nginx: Versions prior to 1.15.0

Administrators should immediately inspect their Ingress resources for signs of tampering. Specifically, look for “suspicious data within the rules.http.paths.path field,” which may indicate an exploitation attempt.

The most effective solution is to move to a patched version of the controller (v1.13.8, v1.14.4, or v1.15.0 and above).

If an immediate upgrade isn’t possible, you can mitigate the risk by using admission control policies to block the use of the rewrite-target annotation entirely until the patch is applied.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.