Security update: ingress-nginx rewrite-target configuration injection (CVE-2026-3288)

Last week we patched all clusters running ingress-nginx to address CVE-2026-3288, a configuration injection vulnerability via the rewrite-target annotation. Updates were applied when the CVE became public last week. Non-production clusters were patched on March 10th, and production clusters completed their updates the day after, on March 11th.

CVE-2026-3288 allows arbitrary nginx configuration injection through the nginx.ingress.kubernetes.io/rewrite-target annotation. A malicious user with permissions to create or update Ingress objects could craft a specially designed rewrite-target value to inject raw nginx directives, potentially leading to unauthorized access to secrets or remote code execution within the ingress controller context.

Considering we don’t use multi-tenant environments and restrict Kubernetes access and Ingress creation to trusted users, the risk of exploitation was low. However, we took immediate action to patch the vulnerability to ensure the security of our clusters.

Kubernetes Security Announcement

No action is required from your side.