A recently discovered vulnerability in the Kubernetes ingress-nginx controller (CVE‑2026‑24512) allows attackers to execute arbitrary code by exploiting improper sanitization of user‑supplied ingress path data. Severity level CVSS Score: 8.8/high Description: Ingress‑NGINX is a widely used open‑source Kubernetes ingress controller responsible for managing inbound traffic to cluster services.A vulnerability exists in ingress‑nginx where the rules.http.paths.path field fails to properly validate user‑defined input.This flaw allows attackers to inject rogue NGINX configuration directives, enabling arbitrary code execution within the ingress‑nginx controller container. Affected Versions: All ingress-nginx versions prior to v1.13.7 and prior v1.14.3 are affected. Impact: Successful exploitation allows attackers to execute arbitrary code inside the ingress-nginx controller. Resolution: Upgrade to the version 1.13.7, 1.14.3 or later immediately. Mitigation: Deploy a validating admission controller that rejects Ingress resources using the ImplementationSpecific path type, blocking the attack vector. Reference:
