This high-severity vulnerability in ingress-nginx allows attackers to inject configuration via Ingress fields, resulting in arbitrary code execution and potential secret disclosure.

What Is It

CVE-2026-24512 is classified as a security issue within the ingress-nginx component. The root cause involves improper input validation (CWE-20) where the rules.http.paths.path Ingress field can be exploited to inject configuration directly into nginx. This flaw was published on February 3, 2026, and last modified on March 9, 2026. The vulnerability identifier is assigned by NVD.

Why It Matters

The impact of this vulnerability is severe, carrying a CVSS v3.1 base score of 8.8 with HIGH severity. Successful exploitation allows for arbitrary code execution within the context of the ingress-nginx controller. Furthermore, it enables the disclosure of Secrets accessible to the controller. In default installations, the controller possesses access to all Secrets cluster-wide, significantly expanding the blast radius of a successful attack.

What's Vulnerable

The vulnerability affects the ingress-nginx component specifically through the rules.http.paths.path field within Ingress configurations. Attackers require low privileges (PR:L) and network access (AV:N) with no user interaction required to exploit this flaw.

Patch Status

Current NVD records indicate the vulnerability status is "Awaiting Analysis." No specific patched versions are listed in the available data. Administrators should monitor the referenced GitHub issue for updates regarding remediation steps or version fixes before applying any workarounds.

Sources