When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection…
Summary
When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
What this means
In plain English
When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. The official description indicates that an attacker needs authenticated access or valid credentials first.
Vulnerable items
- NGINX Ingress Controller — NGINX Ingress Controller is a F5 management component used to administer connected systems or services.
Recommended action
Primary action: update to a vendor-listed fixed release: 5.5.2, 2026-lts-r3. Temporary workaround: Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- NGINX Ingress Controller 5.0.0 before 5.5.2
- NGINX Ingress Controller 2026-lts-r1 before 2026-lts-r3
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 5.5.2
- 2026-lts-r3
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.