CVE-2026-55723 in NGINX Ingress Controllerinfo

Summary

by MITRE • 07/15/2026

When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives.

Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability described represents a critical configuration injection flaw within the NGINX Ingress Controller that stems from insufficient input sanitization in its configuration generation process. This issue specifically manifests when the controller operates with Custom Resource Definitions or Ingress annotations, creating an attack surface where user-controllable inputs can be directly translated into NGINX configuration directives without proper validation or sanitization mechanisms. The flaw exists at the control plane level rather than the data plane, meaning that exploitation requires authenticated access to Kubernetes API resources but does not require network exposure to the ingress controller itself.

The technical implementation of this vulnerability allows an attacker with write permissions to modify CRDs or Ingress annotations to inject malicious configuration directives into the NGINX configuration files. This occurs because the configuration generator processes user inputs directly without adequate sanitization, creating a path for arbitrary code execution within the NGINX process context. The injected directives can potentially manipulate file system operations, disable services, or create unauthorized access points within the ingress controller's operational scope.

This vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code" and specifically relates to situations where user-supplied input is used to generate executable code without proper validation. The attack vector follows patterns consistent with ATT&CK technique T1059.006 for command and scripting interpreter, as attackers could potentially inject shell commands or configuration directives that execute within the NGINX process. The impact extends beyond simple configuration changes since NGINX operates with elevated privileges in most deployments, potentially allowing attackers to compromise the entire ingress controller infrastructure.

The operational implications of this vulnerability are severe given that it requires only write access to Kubernetes API resources rather than direct network exposure. An attacker could leverage this weakness to disable critical ingress services, redirect traffic to malicious endpoints, or create persistent backdoors through configuration injection. The fact that this affects the control plane means that organizations with proper network segmentation may still be vulnerable if their Kubernetes RBAC policies allow insufficiently restricted access to ingress controller resources.

Mitigation strategies should focus on implementing strict input validation and sanitization mechanisms within the NGINX Ingress Controller's configuration generation process. Organizations should enforce least-privilege access controls for CRD and Ingress annotation modifications, limiting write permissions to trusted administrators only. Additionally, implementing automated input validation checks that sanitize all user-controllable fields before they are processed into NGINX configuration directives would prevent exploitation. Regular security auditing of ingress controller configurations and monitoring for unauthorized modifications should also be implemented as part of comprehensive defensive measures against this class of vulnerability.

Responsible

F5

Reservation

06/18/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!