CVE-2026-4342 in Kubernetes
Summary
by MITRE • 03/20/2026
A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/20/2026
This vulnerability represents a critical configuration injection flaw in the ingress-nginx controller that exploits the way annotations are processed within the ingress resource model. The issue stems from insufficient input validation and sanitization of annotation values that are directly translated into nginx configuration directives. When specific combinations of ingress annotations are applied, the controller fails to properly escape or validate user-supplied data before incorporating it into the nginx configuration file, creating a path for malicious input to be interpreted as executable code rather than mere configuration parameters. This vulnerability is particularly dangerous because it operates at the boundary between user-facing ingress resources and the underlying nginx process execution context, allowing attackers to escalate privileges and execute arbitrary commands with the same permissions as the ingress-nginx controller.
The technical exploitation of this vulnerability leverages the inherent trust model within kubernetes ingress controllers where annotations are treated as configuration parameters without adequate sanitization. Attackers can craft malicious annotation values that, when processed by the controller, result in injection of dangerous nginx directives such as lua scripts, custom error pages, or other executable configurations. The vulnerability is classified under CWE-94 - Improper Control of Generation of Code and CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component, both of which are well-documented in the CWE database as common attack vectors for code injection and command execution. The attack pattern aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: Python, and T1059.006 - Command and Scripting Interpreter: PowerShell, as the injection occurs at the nginx configuration level where these interpreters may be invoked.
The operational impact of this vulnerability extends beyond simple code execution to include complete cluster compromise, as the ingress-nginx controller typically operates with broad cluster permissions in default installations. The controller's ability to access all Secrets cluster-wide means that successful exploitation not only allows for arbitrary code execution but also provides attackers with access to sensitive credentials, certificates, and other confidential information stored in the cluster's secret management system. This creates a multi-layered attack surface where the initial code execution can be followed by lateral movement and data exfiltration. The vulnerability's severity is amplified by the fact that it can be exploited through standard ingress resource manipulation, making it accessible to attackers who have permissions to create or modify ingress resources within the cluster.
Mitigation strategies should focus on implementing strict input validation and sanitization mechanisms within the ingress-nginx controller to prevent annotation values from being directly translated into executable nginx configurations. Organizations should enforce the principle of least privilege by configuring the ingress-nginx controller with minimal required permissions and restricting its access to cluster Secrets through RBAC policies. Additionally, implementing network segmentation and using admission controllers such as OPA Gatekeeper or Kyverno can provide additional layers of validation to prevent malicious annotation combinations from being processed. The controller should be updated to version 1.10.1 or later where the vulnerability has been patched through enhanced input sanitization and improved configuration parsing logic. Regular security audits of ingress configurations and monitoring for unusual annotation patterns should also be implemented to detect potential exploitation attempts. Organizations should also consider implementing runtime protection mechanisms that can detect and block suspicious nginx configuration modifications that could indicate exploitation attempts.