CVE-2026-4342
ingress-nginx comment-based nginx configuration injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Se descubrió un problema de seguridad en ingress-nginx donde una combinación de anotaciones de Ingress puede utilizarse para inyectar configuración en nginx. Esto puede conducir a la ejecución de código arbitrario en el contexto del controlador ingress-nginx, y a la divulgación de Secrets accesibles para el controlador. (Tenga en cuenta que en la instalación predeterminada, el controlador puede acceder a todos los Secrets a nivel de clúster.)
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2026-03-17 CVE Reserved
- 2026-03-19 CVE Published
- 2026-03-21 CVE Updated
- 2026-03-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
- CAPEC-176: Configuration/Environment Manipulation
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/kubernetes/kubernetes/issues/137893 | ||
| http://www.openwall.com/lists/oss-security/2026/03/19/9 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Kubernetes Search vendor "Kubernetes" | Ingress-nginx Search vendor "Kubernetes" for product "Ingress-nginx" | < 1.13.9 Search vendor "Kubernetes" for product "Ingress-nginx" and version " < 1.13.9" | en |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Ingress-nginx Search vendor "Kubernetes" for product "Ingress-nginx" | < 1.14.5 Search vendor "Kubernetes" for product "Ingress-nginx" and version " < 1.14.5" | en |
Affected
| ||||||
| Kubernetes Search vendor "Kubernetes" | Ingress-nginx Search vendor "Kubernetes" for product "Ingress-nginx" | < 1.15.1 Search vendor "Kubernetes" for product "Ingress-nginx" and version " < 1.15.1" | en |
Affected
| ||||||