← Back to changelog

2026-02-03

Critical ingress-nginx security updates applied

#CVE  #nginx  #security 

Security Updates Applied

We have proactively updated ingress-nginx to the latest patched versions across all clusters to address four security vulnerabilities disclosed by the Kubernetes project. These updates have already been deployed, and no action is required from your side.

Vulnerabilities Addressed

Critical Severity

CVE-2026-1580 (CVSS 9.1): Configuration injection via auth-method annotation

  • Allowed arbitrary nginx configuration injection through the nginx.ingress.kubernetes.io/auth-method annotation
  • Could enable code execution and unauthorized access to cluster secrets

CVE-2026-24512 (CVSS 9.1): Configuration injection via rules.http.paths.path field

  • Allowed arbitrary nginx configuration injection through Ingress path specifications
  • Could enable remote code execution and exposure of Kubernetes Secrets

High Severity

CVE-2026-24514 (CVSS 7.1): Admission controller denial of service

  • Oversized requests to the validating admission controller could cause excessive memory consumption
  • Could result in controller pod crashes or node resource exhaustion

Medium/Low Severity

CVE-2026-24513: Auth-URL protection bypass

  • Under specific misconfiguration scenarios, authentication protections could be bypassed
  • Required specific conditions: custom error configuration and a defective custom-errors backend

What We Did

All clusters have been upgraded to ingress-nginx v1.14.3 (or v1.13.7 for older branches), which contains patches for all four vulnerabilities. The updates were applied with zero downtime to your applications.

Affected Versions

These vulnerabilities affected all ingress-nginx versions prior to v1.13.7 and v1.14.3.

Additional Resources

For detailed technical information about each vulnerability:

If you have any questions or concerns about these updates, please don’t hesitate to reach out to our support team.