CVE-2026-1580: ingress-nginx auth-method nginx configuration injection #136677
Description
CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-method Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Am I vulnerable?
This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.
Affected Versions
- ingress-nginx: < v1.13.7
- ingress-nginx: < v1.14.3
How do I mitigate this vulnerability?
ACTION REQUIRED: The following steps must be taken to mitigate this vulnerability: Upgrade ingress-nginx to v1.13.7, v1.14.3, or any later version.
Prior to upgrading, this vulnerability can be mitigated by using a validating admission controller to reject Ingress resources with the nginx.ingress.kubernetes.io/auth-method annotation.
How to upgrade?
To upgrade, refer to the documentation: Upgrading Ingress-nginx
Detection
Suspicious data within the nginx.ingress.kubernetes.io/auth-method annotation of an Ingress resource could indicate an attempt to exploit this vulnerability.
Acknowledgements
This issue was discovered by Volcengine Security Team.
The issue was fixed and coordinated by Steven Jin, Marco Ebert, and Tabitha Sable.
If you find evidence that this vulnerability has been exploited, please contact [email protected]
/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig network
OSV format
{
"schema_version": "1.6.0",
"id": "CVE-2026-1580",
"modified": "2026-02-02T15:59:49Z",
"summary": "ingress-nginx auth-method nginx configuration injection",
"details": "A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "Kubernetes",
"name": "ingress-nginx"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "v1.13.7"
},
{
"introduced": "0"
},
{
"fixed": "v1.14.3"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
]
}