Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Arbitrary Code Execution in Kubernetes ingress-nginx, Patch Immediately!
Image
Publié : 20/03/2026
- Last update:
- Affected software:
→ ingress-nginx: < v1.13.9
→ ingress-nginx: < v1.14.5
→ ingress-nginx: < v1.15.1- Type: Arbitrary Code Execution
- CVE/CVSS
→ CVE-2026-4342: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
https://github.com/kubernetes/kubernetes/issues/137893
Risks
A newly discovered vulnerability in ingress-nginx allows attackers to inject arbitrary configuration into nginx through malicious Ingress annotations, potentially leading to full remote code execution and cluster-wide exposure of sensitive Kubernetes Secrets.
ingress-nginx is a widely deployed Kubernetes Ingress controller that uses nginx as a reverse proxy and load balancer, used by organizations to manage and route external HTTP and HTTPS traffic into their Kubernetes clusters, enabling secure and scalable application delivery across cloud and on-premise environments.
If exploited this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.
Description
A high severity security vulnerability, CVE-2026-4342, has been identified in ingress-nginx versions prior to v1.13.9, v1.14.5, and v1.15.1. This flaw arises from insufficient validation of Ingress annotations, a type of vulnerability that allows attackers to inject arbitrary configuration into nginx, potentially leading to arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. In affected versions, an attacker with low level privileges can craft a combination of malicious Ingress annotations to trigger the configuration injection. Notably, in the default installation, the ingress-nginx controller can access all Secrets cluster-wide, significantly amplifying the impact of a successful exploit. Users of affected versions should upgrade immediately to v1.13.9, v1.14.5, or v1.15.1.
If you do not have ingress-nginx installed on your cluster, you are not affected.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.