Skip to main content

Nginx Ingress Controller

8 CVEs product

Monthly

CVE-2026-52865 HIGH PATCH This Week

Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.

Nginx Denial Of Service Null Pointer Dereference Nginx Ingress Controller
NVD
CVSS 4.0
7.1
CVE-2026-55723 HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection Nginx Ingress Controller
NVD
CVSS 4.0
8.7
CVE-2026-1642 MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source Nginx Instance Manager Nginx Gateway Fabric +3
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2024-10318 MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx Nginx Api Connectivity Manager Nginx Ingress Controller +2
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2022-41743 HIGH This Week

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Nginx Plus
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2022-41742 HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Fedora +1
NVD
CVSS 3.1
7.1
EPSS
1.1%
CVE-2022-41741 HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow Nginx Ingress Controller Fedora +1
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2022-30535 MEDIUM This Month

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Ingress Controller
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVSS 7.1
HIGH PATCH This Week

Denial of service in F5 NGINX Ingress Controller allows an authenticated remote attacker holding write access to Ingress or TransportServer resources to crash the control plane by submitting a malformed resource. Because the offending resource persists in the cluster, the controller re-reads it and re-crashes, producing a durable crash loop rather than a one-time outage. There is no public exploit identified at time of analysis, and impact is confined to the control plane with no data plane or confidentiality/integrity exposure.

Nginx Denial Of Service Null Pointer Dereference +1
NVD
CVSS 8.7
HIGH PATCH This Week

Configuration injection in F5 NGINX Ingress Controller lets an authenticated Kubernetes user with rights to create or modify Ingress CRDs or annotations smuggle arbitrary NGINX directives into the generated configuration. Because multiple user-controllable fields are written to the config without sanitization, an attacker can inject directives that create or delete files and disable services on the control plane. No public exploit identified at time of analysis; this is a control-plane-only issue with no data plane exposure, but the CVSS 4.0 score of 8.7 (High) reflects strong confidentiality and integrity impact.

Nginx Kubernetes Code Injection +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source +5
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx +4
NVD
EPSS 0% CVSS 7.0
HIGH This Week

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.

Memory Corruption Nginx Buffer Overflow +2
NVD
EPSS 1% CVSS 7.1
HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow +3
NVD
EPSS 1% CVSS 7.8
HIGH This Week

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Nginx Buffer Overflow +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In versions 2.x before 2.3.0 and all versions of 1.x, An attacker authorized to create or update ingress objects can obtain the secrets available to the NGINX Ingress Controller. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Ingress Controller
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy