All Products
Search
Document Center

Container Service for Kubernetes:Security advisory for CVE-2026-4342

Last Updated:Jun 18, 2026

CVE-2026-4342 is a high-severity Nginx Ingress vulnerability disclosed by the Kubernetes community. Attackers can combine Ingress Annotations to inject malicious configurations into the underlying Nginx, execute arbitrary code in the Nginx Ingress Controller context, and exfiltrate Kubernetes Secrets accessible to the Controller. CVSS 8.8).

In the default installation, the Nginx Ingress Controller has cluster-wide access to all Secrets.

Affected scope

Clusters without the Nginx Ingress Controller installed are not affected. Verify whether the controller is installed by using one of the following methods:

  • Component management

    If the command returns output, the controller is installed.

    kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
  • Helm Marketplace

    1. On the ACK Clusters page, click the name of your cluster. In the left navigation pane, click Applications > Helm.

    2. Check the list for a chart application named ack-ingress-nginx or ack-ingress-nginx-v1. If either chart application exists, the controller is installed.

      The application version from the Helm Marketplace is the Nginx Ingress Controller version.

Affected Nginx Ingress versions:

Branch

Affected versions

Patched version

1.13.x

< v1.13.9

v1.13.9

1.14.x

< v1.14.5

v1.14.5

1.15.x

< v1.15.1

v1.15.1

Detection

Inspect the rules.http.paths.path field in all Ingress resources. Suspicious values may indicate active exploitation attempts.

# Check the path field of all Ingress resources
kubectl get ingress --all-namespaces -o json | \
  jq '.items[].spec.rules[]?.http.paths[]?.path'

Resolution

ACK has released v1.13.9-release.1 to address this vulnerability. Upgrade the NGINX Ingress controller to the latest fixed version as soon as possible.