Home

Why Quor

Plans & Pricing

Blog

Manifesto

QUOR LOGIN

Schedule a demo

Analysis of CVE-2026-24512: configuration injection in ingress-nginx

Analysis of CVE-2026-24512: configuration injection in ingress-nginx

CVE-2026-24512 describes a configuration injection vulnerability in ingress-nginx, the officially reported impact includes code execution in the context of the controller and exposure of secrets accessible by it.

CVE-2026-24512 describes a configuration injection vulnerability in ingress-nginx, the officially reported impact includes code execution in the context of the controller and exposure of secrets accessible by it.

Security Researcher

Heitor Gouvêa

TL;DR

In Kubernetes, the Ingress object defines HTTP/HTTPS rules for routing external traffic to internal services of the cluster. For these rules to take effect, an Ingress Controller must be running [1]. The ingress-nginx is one such controller, based on NGINX, and its official documentation describes that it is built around the Ingress resource, using ConfigMap for the controller's configurations [2].

CVE-2026-24512 describes a configuration injection vulnerability in ingress-nginx: the field rules.http.paths.path can be used to inject content into nginx.conf. The reported official impact includes code execution in the context of the controller and exposure of secrets accessible by it [3][4].

The severity published by CNA (Kubernetes) is CVSS v3.1 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [3][4].

The discovery was officially attributed to Maxime Escourbiac and Yassine Bengana (Michelin CERT) [3] [8].


Fix for CVE-2026-24512 on Quor.
Enjoy 14 days free of our image: app.quor.dev

How the vulnerability occurs

  1. An attacker with permission to create/edit Ingress sends a malicious path in     rules.http.paths.path.

  2. The controller processes this value when rendering the NGINX template.

  3. Without proper escaping/quoting, the value can "break" the expected directive and inject additional configuration.

  4. The NGINX reloads the resulting configuration.

* In summary: the core issue is insecure handling of untrusted input during the generation of  nginx.conf [3][6][9].

Was I affected?

If you do not use ingress-nginx, this CVE does not apply [3].

  1. Check for ingress-nginx in the cluster

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

  2. Check the images/versions in use

 kubectl get deploy -A -l app.kubernetes.io/name=ingress-nginx \
    -o=jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}
  {range .spec.template.spec.containers[*]}{.name}={.image}{" "}{end}{"\n"}{end}'
 kubectl get deploy -A -l app.kubernetes.io/name=ingress-nginx \
    -o=jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}
  {range .spec.template.spec.containers[*]}{.name}={.image}{" "}{end}{"\n"}{end}'

  3. Compare with the affected ranges

  •   ingress-nginx < v1.13.7

  •   ingress-nginx < v1.14.3

    (in operational practice: update to v1.13.7, v1.14.3 or higher) [3][5].

Example manifest with valid test payload (non-exploitable)

This payload is useful to validate sanitization of quotes and backslashes (same pattern used in the patch tests):

 apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: cve-2026-24512-sanitization-test
  spec:
    ingressClassName: nginx
    rules:
    - host: escape.test
      http:
        paths:
        - path: '/"\\'
          pathType: ImplementationSpecific
          backend:
            service:
              name: test
              port:
                number: 80
 apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: cve-2026-24512-sanitization-test
  spec:
    ingressClassName: nginx
    rules:
    - host: escape.test
      http:
        paths:
        - path: '/"\\'
          pathType: ImplementationSpecific
          backend:
            service:
              name: test
              port:
                number: 80

With the fix applied, the expected rendering keeps the value enclosed in quotes and escaped in nginx.conf, in the equivalent format of:

location "/\"\\\\" {
      ...
  }
location "/\"\\\\" {
      ...
  }

Impact

Includes the possibility of code execution within the ingress-nginx pod, which gives the attacker control over the controller's process. Additionally, there is a risk of leaking Secrets accessible by this controller; in default configurations, this may encompass Secrets from the entire cluster, significantly broadening the scope of the compromise. [3]

Subscribe to Quor's newsletter: updates on supply chain security


Fix and why the flaw occurred

Patch diff: https://github.com/kubernetes/ingress-nginx/pull/14501/files [9]

The patch fixes the vulnerability by escaping and encapsulating what came from the Ingress before rendering in nginx.conf, preventing path or server_name values from escaping out of the directive and injecting configuration.

1. buildLocation now always puts the path in quotes and escapes \ and " through the new function sanitizeQuotedRegex.

  • Before: the path was inserted raw, including in PathTypeExact (= %s) and in the default (%s).

  • Now: PathTypeExact uses = "%s" and the default uses "%s", always escaping \ and ".

2. server_name and aliases are also now quoted/escaped in the NGINX template.

  • server_name uses | quote and aliases go through sanitizeQuotedRegex.

In summary, by placing these values in quotes and escaping special characters, this addresses the risk of configuration injection, prevents malicious inputs from "closing" the directive and injecting new instructions into nginx.conf

Recommendation

  1. Main action: update to v1.13.7, v1.14.3 or higher [3][5][10].

  2. Temporary mitigation: use admission validation to reject Ingress with pathType=ImplementationSpecific until the update [3].

  3. Monitoring: treat suspicious values in rules.http.paths.path as an indication of attempted exploitation [3].

Conclusion

CVE-2026-24512 is critical for environments with ingress-nginx because it combines injection vector in  proxy configuration with high potential impact (RCE + exposure of secrets). Mitigation through admission policy reduces immediate risk but does not replace updating to  fixed versions.

References

[1] https://kubernetes.io/docs/concepts/services-networking/ingress/
[2] https://kubernetes.github.io/ingress-nginx/
[3] https://github.com/kubernetes/kubernetes/issues/136678
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-24512
[5] https://www.runzero.com/blog/k8s-ingress-nginx-controller/
[6] https://owasp.org/www-community/attacks/Code_Injection
[7] https://app.quor.dev/images/76/default/ingress-nginx-controller/details
[8] https://cert.michelin.com/
[9] https://github.com/kubernetes/ingress-nginx/pull/14501
[10] https://kubernetes.github.io/ingress-nginx/deploy/upgrade/

Quor Newsletter

Updates on software supply chain security.

Updates on software supply chain security.

Shrink your attack surface.

Cut remediation costs.

Reduce your attack surface and the cost of remediation.

With Quor, security becomes your competitive edge. See how in a personalized demo.

Explore catalog

Schedule a demo

Manifesto

ROI Calculator

Documentation

sales@quor.dev

Powered by Getup