Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
cloud-service-vulnerabilitywidely-deployed-product-advisoryidentity-authentication-vulnerability

Arbitrary Code Execution Flaw in Kubernetes ingress-nginx Requires Immediate Patching

Updated 4d agoFirst seen Mar 20, 20263 sources

Belgium's Centre for Cybersecurity warned organizations to patch Kubernetes ingress-nginx immediately after disclosure of an arbitrary code execution issue affecting the widely used NGINX Ingress Controller. The flaw, tracked as CVE-2026-3288, is a high-severity configuration injection vulnerability that lets an authenticated user with permission to create or modify Ingress resources inject arbitrary nginx directives through a crafted double quote in the Ingress path field, potentially leading to remote code execution and exposure of secrets accessible to the controller.

Sysdig reported that CVE-2026-3288 was fixed on March 9, 2026 and stemmed from an incomplete remediation of the related CVE-2026-24512. According to the company, sanitization had been added to one code path but omitted from another, while built-in validation relied on an incomplete blocklist that attackers could bypass with payloads such as return directives. Affected releases include ingress-nginx versions before v1.13.8, v1.14.4, and v1.15.0; defenders were urged to upgrade, tighten RBAC permissions for Ingress changes, and monitor Kubernetes audit logs for signs of exploitation.

Share:
Arbitrary Code Execution Flaw in Kubernetes ingress-nginx Requires Immediate Patching
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Mar 20, 20263mo ago

Belgium CCB issues public warning to patch ingress-nginx immediately

On 2026-03-20, Belgium's Centre for Cybersecurity issued an advisory warning about arbitrary code execution in Kubernetes ingress-nginx and urged organizations to patch immediately. The advisory elevated public awareness of the risk following disclosure of the vulnerability.

Mar 17, 20264mo ago

Sysdig publishes technical analysis and detection guidance

On 2026-03-17, Sysdig published research explaining that CVE-2026-3288 stemmed from incomplete remediation of CVE-2026-24512 and described how DeepInspect validation could be bypassed. The post also provided detection guidance, including monitoring recommendations and a Falco rule based on Kubernetes audit logs.

Mar 9, 20264mo ago

Ingress-nginx patches CVE-2026-3288 configuration injection flaw

On 2026-03-09, ingress-nginx fixed CVE-2026-3288, a high-severity configuration injection vulnerability that could let an authenticated user who can create or modify Ingress resources inject arbitrary nginx directives. The issue affected releases before v1.13.8, v1.14.4, and v1.15.0 and could lead to remote code execution and disclosure of controller-accessible secrets.

Mar 25, 20251y ago

Traficom warns of multiple ingress-nginx RCE flaws and urges upgrades

On 2025-03-25, Finland's Traficom warned that multiple vulnerabilities in the Kubernetes ingress-nginx controller could allow an unauthenticated attacker to execute arbitrary code on vulnerable clusters. The advisory said versions 1.11.4 and earlier and 1.12.0 were affected, urged upgrading to 1.12.1 or 1.11.5, and pointed to Kubernetes mitigation guidance for cases where immediate patching was not possible.

Kuberneteksen ingress-nginx controller -komponentissa useita haavoittuvuuksia | Traficom

Ingress-nginx flaw CVE-2026-24512 is remediated incompletely

A prior vulnerability, CVE-2026-24512, was addressed in ingress-nginx, but the fix only added sanitization to buildLocation() and omitted buildProxyPass(). This incomplete remediation left a path for configuration injection to persist.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

10 LINKEDOpen in app
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Arbitrary Code Execution Flaw in Kubernetes ingress-nginx Requires Immediate Patching | Mallory