Arbitrary Code Execution Flaw in Kubernetes ingress-nginx Requires Immediate Patching
Belgium's Centre for Cybersecurity warned organizations to patch Kubernetes ingress-nginx immediately after disclosure of an arbitrary code execution issue affecting the widely used NGINX Ingress Controller. The flaw, tracked as CVE-2026-3288, is a high-severity configuration injection vulnerability that lets an authenticated user with permission to create or modify Ingress resources inject arbitrary nginx directives through a crafted double quote in the Ingress path field, potentially leading to remote code execution and exposure of secrets accessible to the controller.
Sysdig reported that CVE-2026-3288 was fixed on March 9, 2026 and stemmed from an incomplete remediation of the related CVE-2026-24512. According to the company, sanitization had been added to one code path but omitted from another, while built-in validation relied on an incomplete blocklist that attackers could bypass with payloads such as return directives. Affected releases include ingress-nginx versions before v1.13.8, v1.14.4, and v1.15.0; defenders were urged to upgrade, tighten RBAC permissions for Ingress changes, and monitor Kubernetes audit logs for signs of exploitation.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Belgium CCB issues public warning to patch ingress-nginx immediately
On 2026-03-20, Belgium's Centre for Cybersecurity issued an advisory warning about arbitrary code execution in Kubernetes ingress-nginx and urged organizations to patch immediately. The advisory elevated public awareness of the risk following disclosure of the vulnerability.
Sysdig publishes technical analysis and detection guidance
On 2026-03-17, Sysdig published research explaining that CVE-2026-3288 stemmed from incomplete remediation of CVE-2026-24512 and described how DeepInspect validation could be bypassed. The post also provided detection guidance, including monitoring recommendations and a Falco rule based on Kubernetes audit logs.
Ingress-nginx patches CVE-2026-3288 configuration injection flaw
On 2026-03-09, ingress-nginx fixed CVE-2026-3288, a high-severity configuration injection vulnerability that could let an authenticated user who can create or modify Ingress resources inject arbitrary nginx directives. The issue affected releases before v1.13.8, v1.14.4, and v1.15.0 and could lead to remote code execution and disclosure of controller-accessible secrets.
Traficom warns of multiple ingress-nginx RCE flaws and urges upgrades
On 2025-03-25, Finland's Traficom warned that multiple vulnerabilities in the Kubernetes ingress-nginx controller could allow an unauthenticated attacker to execute arbitrary code on vulnerable clusters. The advisory said versions 1.11.4 and earlier and 1.12.0 were affected, urged upgrading to 1.12.1 or 1.11.5, and pointed to Kubernetes mitigation guidance for cases where immediate patching was not possible.
Ingress-nginx flaw CVE-2026-24512 is remediated incompletely
A prior vulnerability, CVE-2026-24512, was addressed in ingress-nginx, but the fix only added sanitization to buildLocation() and omitted buildProxyPass(). This incomplete remediation left a path for configuration injection to persist.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Warning: Arbitrary Code Execution in Kubernetes ingress-nginx, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourceDetecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes | Sysdig
webflow.sysdig.com
Open sourceKuberneteksen ingress-nginx controller -komponentissa useita haavoittuvuuksia | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


