When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission…
Summary
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
What this means
In plain English
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. The official description indicates that an attacker needs authenticated access or valid credentials first.
Vulnerable items
- NGINX Ingress Controller — NGINX Ingress Controller is a F5 management component used to administer connected systems or services.
Recommended action
Primary action: update to a vendor-listed fixed release: 5.5.2, 2026-lts-r3.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- NGINX Ingress Controller 5.0.0 before 5.5.2
- NGINX Ingress Controller 2026-lts-r1 before 2026-lts-r3
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 5.5.2
- 2026-lts-r3
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 5.5.2, 2026-lts-r3. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.