Kubernetes maintainers disclosed multiple vulnerabilities in ingress-nginx affecting versions < 1.13.7 and < 1.14.3, including NGINX configuration injection paths that can lead to arbitrary code execution in the ingress-nginx controller context and Secrets disclosure. CVE-2026-24512 allows injection via the Ingress rules.http.paths.path field, and CVE-2026-1580 allows injection via the nginx.ingress.kubernetes.io/auth-method annotation; both are rated CVSS 8.8 and are especially high impact in default deployments where the controller can read Secrets cluster-wide. Recommended mitigations include upgrading to v1.13.7, v1.14.3, or later, and (as a temporary control) using validating admission policies to reject risky constructs such as ImplementationSpecific path types or the auth-method annotation.
A separate ingress-nginx issue, CVE-2026-24514 (CVSS 6.5), affects the validating admission controller feature and enables denial of service by sending oversized requests that drive memory consumption, potentially killing the controller pod or exhausting node memory. Detection guidance includes monitoring for unusually large requests (multi-megabyte) to the admission controller and suspicious payloads in rules.http.paths.path or the nginx.ingress.kubernetes.io/auth-method annotation. One referenced item describing CVE-2025-67601 in the Rancher CLI (credential/TLS handling weakness involving --skip-verify) is a different product and vulnerability and is not part of the ingress-nginx disclosures.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Kubernetes published a product advisory for CVE-2025-15566, another ingress-nginx nginx configuration injection flaw tied to auth-proxy-set-headers. This expanded the publicly disclosed set of ingress-nginx configuration injection issues.
Reporting on CVE-2026-24512 explained that authenticated attackers could inject malicious NGINX configuration through an Ingress resource, potentially achieving arbitrary code execution and accessing Secrets available to the ingress-nginx controller. The Kubernetes security response committee recommended upgrading to fixed releases 1.13.7, 1.14.3, or later, or temporarily blocking ImplementationSpecific path usage with a validating admission controller.
Kubernetes published a product advisory for CVE-2026-24514, describing a denial-of-service vulnerability in the ingress-nginx Admission Controller. The disclosure added a separate availability-impacting issue to the ingress-nginx vulnerability set.
Kubernetes published a product advisory for CVE-2026-24512 affecting ingress-nginx, where the rules.http.paths.path field can be abused for nginx configuration injection. Later reporting said this could lead to arbitrary code execution and access to Kubernetes Secrets readable by the controller.
Kubernetes published a product advisory for CVE-2026-1580, an ingress-nginx nginx configuration injection issue involving the auth-method feature. The advisory made the vulnerability publicly known.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcecybersecuritynews.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.