Nginx CVE-2026-24512
HIGH
GHSA-jx8c-56mg-h6vp
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
A security issue was discovered in ingress-nginx where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
AnalysisAI
Ingress-nginx controllers are vulnerable to arbitrary code execution through malicious path specifications in Ingress rules, allowing authenticated attackers to inject nginx configuration and execute commands with controller privileges. The vulnerability also enables disclosure of cluster-wide Secrets accessible to the controller. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all ingress-nginx deployments and identify systems exposed to untrusted ingress definitions; implement network access controls to restrict who can create or modify Ingress resources. Within 7 days: Deploy WAF rules to detect and block suspicious path patterns in HTTP requests; enable audit logging for all Ingress resource modifications; isolate ingress-nginx controller service accounts with minimal secret access. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/22. ty (Colm O hEigeartaigh <coheigea@...che.or
Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets a
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today