PatchSiren cyber security CVE debrief
CVE-2026-4342 Kubernetes CVE debrief
A critical configuration injection vulnerability in the Kubernetes NGINX Ingress Controller allows authenticated attackers with Ingress creation privileges to achieve arbitrary code execution and cluster-wide Secret disclosure. The flaw stems from improper input validation (CWE-20) where malicious Ingress annotations can inject arbitrary nginx configuration directives. In default deployments, the controller's broad Secret access permissions amplify impact to full cluster compromise. Affected versions span multiple release branches prior to patched releases. No known exploitation in ransomware campaigns has been documented.
- Vendor
- Kubernetes
- Product
- ingress-nginx
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-03-19
- Advisory updated
- 2026-05-19
Who should care
Platform engineering teams operating Kubernetes clusters with ingress-nginx; security architects designing multi-tenant cluster isolation; DevOps practitioners managing Ingress resources; compliance officers evaluating container orchestration security controls
Technical summary
The ingress-nginx controller processes Ingress resource annotations to generate nginx configuration. Insufficient validation allows attackers to inject arbitrary nginx directives through crafted annotation values. This enables: (1) arbitrary code execution via nginx configuration directives such as `lua_package_path` combined with `access_by_lua_block` or similar Lua execution contexts, and (2) Secret disclosure through `proxy_pass` directives targeting internal endpoints or file inclusion of controller-accessible Secret mounts. The vulnerability requires authenticated access to create or modify Ingress resources in any namespace (PR:L). Default installations grant the controller cluster-wide Secret read access, maximizing confidentiality impact. The attack vector is network-accessible (AV:N) with low complexity (AC:L) and no user interaction (UI:N), yielding CVSS 3.1 score 8.8 (HIGH).
Defensive priority
Critical
Recommended defensive actions
- Upgrade ingress-nginx controller to patched versions: 1.13.9+, 1.14.5+, or 1.15.1+
- Audit existing Ingress resources for suspicious annotation patterns, particularly those containing nginx configuration directives
- Implement least-privilege access controls restricting Ingress creation to trusted principals
- Review and restrict controller ServiceAccount permissions using RBAC to limit Secret access scope
- Enable admission controllers to validate Ingress annotations against allowlists
- Monitor controller logs for anomalous nginx configuration reloads or unexpected upstream connections
- Consider network policies to restrict egress from ingress-nginx controller pods
Evidence notes
Vulnerability confirmed through NVD analysis with CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CPE criteria identify affected versions: all releases prior to 1.13.9, 1.14.0 through 1.14.4, and 1.15.0. Primary weakness classification deferred by NVD (NVD-CWE-noinfo) with secondary CWE-20 assignment from Kubernetes security team. Issue tracking reference confirms vendor acknowledgment.
Official resources
-
CVE-2026-4342 CVE record
CVE.org
-
CVE-2026-4342 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
2026-03-19