Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple Vulnerabilities in Kubernetes ingres-nginx

Image
Decorative image
Published : 09/02/2026
  • Last update: 09-02-2026
  • Affected software:
    → ingress-nginx: < v1.13.7
    → ingress-nginx: < v1.14.3
  • Type:
    → CWE-20 – Improper Input Validation
    → CWE-770 – Allocation of Resources Without Limits or Throttling
    → CWE-754 – Improper Check for Unusual or Exceptional Conditions
  • CVE/CVSS
    → CVE-2026-1580: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2026-24512: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
    → CVE-2026-24514: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
    → CVE-2026-24513: CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Sources

https://github.com/kubernetes/kubernetes/issues/136677
https://github.com/kubernetes/kubernetes/issues/136678
https://github.com/kubernetes/kubernetes/issues/136679
https://github.com/kubernetes/kubernetes/issues/136680

Risks

ingress-nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer, allowing it to monitor and route incoming traffic to Kubernetes Services. The disclosed vulnerabilities could allow an attacker with limited privileges to remotely exploit the service in order to bypass authentication, disrupt the availability of backend processes and achieve remote code execution.

The impact of successful exploitation could thus considerably affect the confidentiality, integrity and availability of the affected Kubernetes cluster and hosted services.

Description

The CVEs exploit the following mechanisms:

  • CVE-2026-1580 – Improper Input Validation: An attacker with access to the Ingress annotation nginx.ingress.kubernetes.io/auth-method could use it inject code that would be ran by the ingress-nginx controller. Such an exploit could lead to the compromise of the host system and disclosure of sensitive information.
  • CVE-2026-24512 – Improper Input Validation: An attacker with access to the Ingress annotation rules.http.paths.path could use it inject code that would be ran by the ingress-nginx controller. Such an exploit could lead to the compromise of the host system and disclosure of sensitive information.
  • CVE-2026-24513 – Improper Check for Unusual or Exceptional Conditions: Certain configurations of the ingress-nginx allow a fla in the ‘auth-url’ Ingress annotation to misbehave resulting allowing unauthenticated access.
  • CVE-2026-24514 – Allocation of Resources Without Limits or Throttling: An attacker could exploit a flaw in the ingress-nginx validating admission controller feature by sending a large amount of requests, exhausting memory resources, resulting in the termination of the controller pod or node denial of service.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.