CVE-2026-24512
HIGH
GHSA-jx8c-56mg-h6vp
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Analysis
Ingress-nginx controllers are vulnerable to arbitrary code execution through malicious path specifications in Ingress rules, allowing authenticated attackers to inject nginx configuration and execute commands with controller privileges. The vulnerability also enables disclosure of cluster-wide Secrets accessible to the controller. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ingress-nginx deployments and identify systems exposed to untrusted ingress definitions; implement network access controls to restrict who can create or modify Ingress resources. Within 7 days: Deploy WAF rules to detect and block suspicious path patterns in HTTP requests; enable audit logging for all Ingress resource modifications; isolate ingress-nginx controller service accounts with minimal secret access. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today