Notice of NGINX Ingress Controller Vulnerabilities (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514)

The Kubernetes community recently identified four security vulnerabilities (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514) that could potentially allow attackers to run unauthorized code or interrupt services.

• CVE-2026-1580: This high-risk vulnerability was discovered in the NGINX Ingress Controller. The nginx.ingress.kubernetes.io/auth-method annotation in an ingress can be exploited to inject configuration into NGINX. This allows attackers to execute arbitrary code within the context of the NGINX Ingress Controller and potentially disclose any secrets accessible to the controller.
• CVE-2026-24512: This high-risk vulnerability was discovered in the NGINX Ingress Controller. When the rules.http.paths.path field in an ingress is set to ImplementationSpecific, its value may be injected directly into NGINX. This allows attackers to execute arbitrary code within the context of the NGINX Ingress Controller and potentially disclose any secrets accessible to the controller.
• CVE-2026-24513: This vulnerability was discovered in the NGINX Ingress Controller. Under certain incorrect configurations, the auth-url annotation in an ingress can be exploited to inject arbitrary configuration into NGINX. This may result in authentication bypass.
• CVE-2026-24514: This vulnerability was discovered in the NGINX Ingress Controller. NGINX Ingress Controller's validating admission controller does not effectively restrict request size. This insufficient validation can lead to resource exhaustion–based denial-of-service attacks.

Solution

CCE will release a new version of NGINX Ingress Controller to fix these vulnerabilities. Keep an eye out for NGINX Ingress Controller Release History.

The vulnerability fixing involves CCE clusters of versions ranging from v1.29 to v1.34. If your CCE cluster version is earlier than v1.29, upgrade the cluster and then NGINX Ingress Controller. Before the upgrade, you are advised to read NGINX Ingress Controller Upgrade Compatibility.

Before fixing these vulnerabilities, grant only the permissions for creating and managing ingresses to trusted users based on the principle of least privilege. For details, see Namespace Permissions (Kubernetes RBAC-based).

1. Log in to the CCE console.
2. Go to the Permissions page, select the target cluster, and click Add Permission in the upper right corner.
3. Specify the user or user group, namespace, and permission type to be granted, and click View Details.

   

4. Click Clone.

   

5. Enter the name of the new custom permission.

   

6. Delete the ingress role and click OK.

   

7. Return to the page for adding permissions, set Permission Type to Custom, and select the custom permission created in the previous step.

   

8. Click OK.