DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24512: The Open Door: Smuggling Lua into Kubernetes Ingress-Nginx

#security #cve #cybersecurity

The Open Door: Smuggling Lua into Kubernetes Ingress-Nginx

Vulnerability ID: CVE-2026-24512
CVSS Score: 8.8
Published: 2026-02-03

A critical configuration injection vulnerability exists in the Kubernetes ingress-nginx controller, the de facto standard for ingress traffic management in K8s clusters. Due to insufficient sanitization of the rules.http.paths.path field when using the ImplementationSpecific path type, attackers with permissions to create or update Ingress resources can inject arbitrary Nginx directives. This effectively turns a standard routing rule into a remote code execution (RCE) vector, granting full control over the ingress controller and, by extension, access to all secrets in the cluster.

TL;DR

CVE-2026-24512 allows attackers to inject Nginx configuration directives via the path field in Kubernetes Ingress resources. This leads to RCE via Lua injection and potential cluster-wide compromise. Patched in v1.13.7 and v1.14.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-20 (Improper Input Validation)
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Network (Authenticated K8s API)
  • Impact: Remote Code Execution (RCE) / Secret Disclosure
  • EPSS Score: 0.00095 (Low Probability of Mass Exploit)
  • KEV Status: Not Listed

Affected Systems

  • Kubernetes Clusters using ingress-nginx
  • Azure Kubernetes Service (AKS) (if managing own ingress)
  • Google Kubernetes Engine (GKE) (if managing own ingress)
  • Amazon EKS (if managing own ingress)
  • ingress-nginx: < 1.13.7 (Fixed in: 1.13.7)
  • ingress-nginx: v1.14.0 - v1.14.2 (Fixed in: 1.14.3)

Exploit Details

  • GitHub: Original issue disclosure describing the path injection vector.

Mitigation Strategies

  • Upgrade ingress-nginx controller immediately.
  • Implement ValidatingAdmissionPolicies (Kubernetes 1.30+) or OPA/Kyverno policies to reject dangerous characters in Ingress paths.
  • Restrict 'ImplementationSpecific' pathType usage via policy.
  • Audit existing Ingress resources for suspicious characters ({, }, ;).

Remediation Steps:

  1. Check current version: kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep image
  2. Update Helm repository: helm repo update
  3. Upgrade via Helm: helm upgrade ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --version <secure-chart-version>
  4. Verify the new image tag is >= v1.13.7 or >= v1.14.3

References

Read the full report for CVE-2026-24512 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)