The Kubernetes community recently disclosed a high-severity vulnerability, CVE-2026-4342, affecting the Nginx Ingress Controller. Attackers can exploit this vulnerability by chaining Ingress annotations to inject malicious configurations, which could allow them to execute arbitrary code in the context of the Nginx Ingress Controller and steal any Kubernetes Secrets accessible to the Controller. This vulnerability is rated as high severity with a CVSS score of 8.8.
In a default installation, the Controller has permissions to access all Secrets across the cluster.
Affected scope
This vulnerability does not affect clusters without the Nginx Ingress Controller component installed. The component can be installed in one of two ways.
Component management
If the command returns output, the component is installed.
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxHelm Marketplace
On the ACK Clusters page, click the name of your cluster. In the left navigation pane, click .
Check the list for a chart application named
ack-ingress-nginxorack-ingress-nginx-v1. If either chart application exists, the component is installed.The application version from the Helm Marketplace is the Nginx Ingress Controller version.
The following Nginx Ingress Controller versions are affected:
Version branch | Affected scope | Fixed version |
1.13.x | < v1.13.9 | v1.13.9 |
1.14.x | < v1.14.5 | v1.14.5 |
1.15.x | < v1.15.1 | v1.15.1 |
Detection
Inspect the rules.http.paths.path field of your Ingress resources. Suspicious values in this field may indicate an exploit attempt.
# Check the path field of all Ingress resources
kubectl get ingress --all-namespaces -o json | \
jq '.items[].spec.rules[]?.http.paths[]?.path'Resolution
ACK has released a patched version, v1.13.9-release.1, to fix this vulnerability. We recommend that you upgrade to the latest patched version immediately. For detailed instructions, see Upgrade the Nginx Ingress Controller component.