CVE-2026-1580 in ingress-nginx
Summary
by MITRE • 02/04/2026
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/08/2026
This vulnerability resides within the ingress-nginx controller implementation where a specific Ingress annotation named `nginx.ingress.kubernetes.io/auth-method` presents a critical security flaw. The issue manifests through improper input validation and sanitization mechanisms that allow attackers to inject malicious configuration parameters directly into the nginx configuration processing pipeline. When the ingress-nginx controller processes Ingress resources containing this vulnerable annotation, it fails to adequately validate the input data, creating a path for arbitrary configuration injection that can ultimately result in code execution within the controller's operational context.
The technical exploitation of this vulnerability follows a pattern that aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and is closely related to CWE-74, "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')." Attackers can craft malicious values for the auth-method annotation that when processed by the controller, get interpreted as legitimate nginx configuration directives. This injection capability extends beyond simple configuration manipulation to enable full code execution within the controller pod's security context, effectively compromising the entire ingress controller deployment.
The operational impact of this vulnerability is severe and multi-layered. The compromised controller can execute arbitrary code with the privileges of the ingress-nginx pod, which in default Kubernetes installations typically has cluster-wide access to all Secrets. This means that successful exploitation directly leads to credential disclosure and potential lateral movement within the cluster. The vulnerability creates a direct pathway for attackers to escalate privileges from a simple ingress configuration manipulation to full cluster compromise, as the controller's default security posture allows access to all cluster Secrets regardless of namespace boundaries. This aligns with ATT&CK technique T1563.002, "Access Token Manipulation: Smart Card Token," and more broadly with privilege escalation tactics in containerized environments.
Mitigation strategies must address both the immediate configuration injection vulnerability and the broader security posture of the ingress controller deployment. Organizations should implement strict input validation for all Ingress annotations, particularly those related to nginx configuration directives, and consider implementing annotation whitelisting policies. The controller should be configured with minimal required permissions, following the principle of least privilege, and cluster-wide Secret access should be restricted through proper RBAC configurations. Additionally, network segmentation and pod security policies should be enforced to limit the blast radius of any successful exploitation attempt. Regular security scanning and monitoring of Ingress resources for suspicious annotation values should be implemented as part of ongoing security operations. The vulnerability also underscores the importance of validating all user-provided inputs in Kubernetes controllers and implementing comprehensive input sanitization mechanisms to prevent similar injection attacks across the platform.