CVE-2026-4342 is a high-severity Nginx Ingress vulnerability disclosed by the Kubernetes community. Attackers can combine Ingress Annotations to inject malicious configurations into the underlying Nginx, execute arbitrary code in the Nginx Ingress Controller context, and exfiltrate Kubernetes Secrets accessible to the Controller. CVSS 8.8).
In the default installation, the Nginx Ingress Controller has cluster-wide access to all Secrets.
Affected scope
Clusters without the Nginx Ingress Controller installed are not affected. Verify whether the controller is installed by using one of the following methods:
Component management
If the command returns output, the controller is installed.
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxHelm Marketplace
On the ACK Clusters page, click the name of your cluster. In the left navigation pane, click .
Check the list for a chart application named
ack-ingress-nginxorack-ingress-nginx-v1. If either chart application exists, the controller is installed.The application version from the Helm Marketplace is the Nginx Ingress Controller version.
Affected Nginx Ingress versions:
|
Branch |
Affected versions |
Patched version |
|
1.13.x |
< v1.13.9 |
v1.13.9 |
|
1.14.x |
< v1.14.5 |
v1.14.5 |
|
1.15.x |
< v1.15.1 |
v1.15.1 |
Detection
Inspect the rules.http.paths.path field in all Ingress resources. Suspicious values may indicate active exploitation attempts.
# Check the path field of all Ingress resources
kubectl get ingress --all-namespaces -o json | \
jq '.items[].spec.rules[]?.http.paths[]?.path'
Resolution
ACK has released v1.13.9-release.1 to address this vulnerability. Upgrade the NGINX Ingress controller to the latest fixed version as soon as possible.