{"id":39515,"date":"2026-02-11T14:37:03","date_gmt":"2026-02-11T19:37:03","guid":{"rendered":"https:\/\/www.yorku.ca\/uit\/?p=39515"},"modified":"2026-02-11T14:43:17","modified_gmt":"2026-02-11T19:43:17","slug":"ingress-nginx-configuration-injection-vulnerability-cve-2026-24512","status":"publish","type":"post","link":"https:\/\/www.yorku.ca\/uit\/2026\/02\/ingress-nginx-configuration-injection-vulnerability-cve-2026-24512\/","title":{"rendered":"Ingress NGINX Configuration Injection Vulnerability (CVE-2026-24512)"},"content":{"rendered":"
\n
\n
\n

 <\/o:p><\/span><\/p>\n

\n\n\n\n
\n\n\n\n\n
<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n\n\n\n\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n
\n\n\n\n\n\n
\n

\"A<\/span><\/o:p><\/span><\/p>\n

 <\/o:p><\/span><\/p>\n

Information Security Advisory<\/span><\/b><\/o:p><\/span><\/p>\n


A recently discovered vulnerability in the Kubernetes ingress-nginx controller (CVE\u20112026\u201124512) allows attackers to execute arbitrary code by exploiting improper sanitization of user\u2011supplied ingress path data.
<\/span>
Severity level<\/span><\/b> 
<\/span><\/b>CVSS Score: 8.8\/high

Description<\/b>:
Ingress\u2011NGINX is a widely used open\u2011source Kubernetes ingress controller responsible for managing inbound traffic to cluster services.<\/span><\/span> <\/span>A vulnerability exists in ingress\u2011nginx where the rules.http.paths.path<\/b> field fails to properly validate user\u2011defined input.<\/span> <\/span>This flaw allows attackers to inject rogue NGINX configuration directives, enabling arbitrary code execution within the ingress\u2011nginx controller container.
<\/span>
Affected Versions<\/span><\/b>:
<\/span><\/b>All ingress-nginx versions prior to v1.13.7 and prior v1.14.3 are affected.

Impact:
<\/b>Successful exploitation allows attackers to execute arbitrary code inside the ingress-nginx controller.
<\/span>
Resolution:
<\/span><\/b>Upgrade to the version 1.13.7, 1.14.3 or later immediately.
<\/span>
<\/b><\/span>Mitigation:
<\/span><\/b><\/span>Deploy a validating admission controller that rejects Ingress resources using the ImplementationSpecific path type, blocking the attack vector.
<\/span>
<\/b><\/span>Reference:<\/span><\/b><\/span><\/o:p><\/span><\/span><\/p>\n

https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-24512<\/span><\/a><\/o:p><\/span><\/span><\/p>\n

https:\/\/www.runzero.com\/blog\/k8s-ingress-nginx-controller\/<\/span><\/a><\/o:p><\/span><\/span><\/p>\n

https:\/\/www.tenable.com\/cve\/CVE-2026-24512<\/span><\/a><\/o:p><\/span><\/span><\/p>\n

https:\/\/github.com\/kubernetes\/kubernetes\/issues\/136678<\/span><\/a><\/o:p><\/span><\/span><\/p>\n

 <\/o:p><\/span><\/p>\n

 <\/o:p><\/span><\/p>\n

 <\/o:p><\/p>\n


Information Security<\/span> <\/o:p><\/span><\/p>\n

<\/p>\n

Contact <\/span><\/b><\/o:p><\/span><\/p>\n

IT Client Services at <\/span>askIT@yorku.ca<\/a><\/span><\/a> or 416 736 5800 <\/o:p><\/span><\/span><\/p>\n<\/td>\n<\/tr>\n

\n

 <\/o:p><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n

\n\n\n\n
\n\n\n\n\n
\n

 <\/o:p><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n

\n\n\n\n
\n\n\n\n
\n\n\n\n\n
<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n\n\n\n
\n

PRIVACY POLICY<\/span><\/a> | <\/span>VISIT WWW.YORKU.CA<\/span><\/a>
This email was sent by: ¿ì²¥ÊÓƵ, 4700 Keele Street, Toronto, Ontario M3J 1P3<\/b> <\/span><\/o:p><\/span><\/p>\n

This email is viewed best in Microsoft Outlook for web <\/span><\/o:p><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n

 <\/o:p><\/span><\/p>\n

 <\/o:p><\/span><\/p><\/div>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    Information Security Advisory A recently discovered vulnerability in the Kubernetes ingress-nginx controller (CVE\u20112026\u201124512) allows attackers to execute arbitrary code by exploiting improper sanitization of user\u2011supplied ingress path data. Severity level  CVSS Score: 8.8\/high Description: Ingress\u2011NGINX is a widely used open\u2011source Kubernetes ingress controller responsible for managing inbound traffic to cluster services. A vulnerability […]<\/p>\n","protected":false},"author":212,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","footnotes":""},"categories":[29],"tags":[],"class_list":["post-39515","post","type-post","status-publish","format-standard","hentry","category-news"],"taxonomy_info":{"category":[{"value":29,"label":"News"}]},"featured_image_src_large":false,"author_info":{"display_name":"aalaily","author_link":"https:\/\/www.yorku.ca\/uit\/author\/aalaily\/"},"comment_info":"","category_info":[{"term_id":29,"name":"News","slug":"news","term_group":0,"term_taxonomy_id":3,"taxonomy":"category","description":"","parent":0,"count":484,"filter":"raw","cat_ID":29,"category_count":484,"category_description":"","cat_name":"News","category_nicename":"news","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/posts\/39515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/users\/212"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/comments?post=39515"}],"version-history":[{"count":0,"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/posts\/39515\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/media?parent=39515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/categories?post=39515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/wp-json\/wp\/v2\/tags?post=39515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}