Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Ingress-Nginx Configuration Injection Allows Malicious Code Execution
CVE-2026-3288
Summary
A vulnerability in Ingress-Nginx allows an attacker to inject malicious code into the configuration, potentially leading to unauthorized access to sensitive information and system compromise. This affects Kubernetes environments using Ingress-Nginx, so it's essential to review and restrict annotations to prevent exploitation. To mitigate this issue, review and limit access to Ingress annotations and consider implementing additional security measures.
Original title
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary...
Original description
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
nvd CVSS3.1
8.8
Vulnerability type
CWE-20
Improper Input Validation
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026