Skip to main content

NGINX Ingress Controller CVE-2026-55723

| EUVDEUVD-2026-44680 HIGH
Improper Neutralization of Equivalent Special Elements (CWE-76)
2026-07-15 f5 GHSA-wxxq-mwhh-cvm2
8.7
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Reachable over the Kubernetes API (AV:N) but requires ingress/CRD write privileges (PR:L); injected directives break the RBAC/tenant boundary into the controller, so S:C, with high confidentiality/integrity and limited availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 15, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 15:22 NVD
8.3 (HIGH) 8.7 (HIGH)
Analysis Generated
Jul 15, 2026 - 15:21 vuln.today
CVE Published
Jul 15, 2026 - 14:33 cve.org
HIGH 8.3

DescriptionCVE.org

When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives.

Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Kubernetes RBAC write access to Ingress/CRDs
Delivery
Craft CRD field or annotation with injected NGINX directives
Exploit
Submit object via Kubernetes API
Execution
Controller renders unsanitized value into nginx.conf
Persist
Config reload executes injected directives
Impact
Create/delete files or disable services on control plane

Vulnerability AssessmentAI

Exploitation Exploitation requires the deployment to be configured using NGINX Ingress Controller CRDs or Ingress annotations (the affected configuration-generation paths), and the attacker must hold Kubernetes API permissions to create or modify those CRDs or Ingress annotations - consistent with CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L) scores 8.7 High: network-reachable via the Kubernetes API, low complexity, but requiring low privileges (PR:L) - an attacker must already hold write access to Ingress objects, CRDs, or annotations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario In a multi-tenant cluster, a namespace administrator who is permitted to create Ingress resources or NGINX CRDs crafts an annotation or CRD field value that closes the intended directive context and appends attacker-chosen NGINX configuration. When the controller regenerates and reloads its configuration, the injected directives execute with the controller's privileges, allowing the attacker to create or delete files or disable ingress services. …
Remediation Patch available per vendor advisory: F5 has released a fix, documented at https://my.f5.com/manage/s/article/K000161800 - apply the patched NGINX Ingress Controller release listed there (exact fixed version not enumerated in the provided data; confirm on the advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Kubernetes clusters running F5 NGINX Ingress Controller and document current version; identify users and service accounts with permissions to create or modify Ingress custom resources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

CVE-2026-55723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy