How to fix CVE-2025-15566?

Within 24 hours: inventory all ingress-nginx deployments and identify who has permissions to create/modify Ingress resources; audit recent Ingress object changes for suspicious annotations. Within 7 days: implement RBAC restrictions to limit Ingress creation to trusted teams only; deploy WAF rules to block suspicious auth-proxy-set-headers patterns; consider disabling the annotation feature if not actively used. Within 30 days: monitor vendor channels for patch release and deploy immediately upon availability; conduct security review of all existing Ingress configurations.

Is Kubernetes affected by CVE-2025-15566?

A critical vulnerability in ingress-nginx allows attackers to inject arbitrary nginx configuration through Ingress annotations, potentially compromising Kubernetes clusters and exposing sensitive applications.

CVE-2025-15566

HIGH

2026-02-06 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 04:15 nvd

HIGH 8.8

Description

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Analysis

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. [CVSS 8.8 HIGH]

Technical Context

Classified as CWE-20 (Improper Input Validation). A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected Products

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inje

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-15566 vulnerability details – vuln.today

Back

CVE-2025-15566

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15566

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code