CVE-2026-3288:
Ingress-nginx vulnerability allows configuration injection and potential arbitrary code execution via the rewrite-target annotation.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Mar 9, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.1
- EPSS Percentile:16%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Ingress-nginx vulnerability allows configuration injection and potential arbitrary code execution via the rewrite-target annotation.
Overview
The vulnerability in ingress-nginx stems from improper input validation of the 'rewrite-target' annotation. Attackers with the ability to create or modify Ingress resources can potentially exploit this weakness to inject malicious configuration into the nginx server. This can result in arbitrary code execution within the ingress-nginx controller's context, granting the attacker significant control over the affected Kubernetes cluster. Additionally, the vulnerability may lead to the disclosure of Secrets that the controller can access, which in default setups includes all Secrets across the cluster. The severity of this issue is heightened by its network-based attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. With a CVSS v3.1 base score of 8.8, this vulnerability is classified as High severity, emphasizing the urgent need for mitigation.
Remediation
- To address this vulnerability, system administrators and Kubernetes cluster operators should take the following steps:
- 1. Update ingress-nginx to the latest patched version as soon as it becomes available.
- 2. Implement strict access controls on who can create or modify Ingress resources in the cluster.
- 3. Regularly audit Ingress configurations for any suspicious or unexpected rewrite-target annotations.
- 4. Consider implementing additional network segmentation to limit the potential impact of a compromised ingress controller.
- 5. Review and potentially restrict the permissions granted to the ingress-nginx controller, especially concerning access to Secrets.
- 6. Monitor for any unusual activity or unexpected configuration changes in the ingress-nginx components.
- 7. Educate development and operations teams about the risks associated with Ingress annotations and the importance of validating user-supplied input.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
