CVE-2025-15566
Published: 06 February 2026
Summary
CVE-2025-15566 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CWE-20 improper input validation in the auth-proxy-set-headers annotation that enables nginx configuration injection leading to RCE.
Enforces least privilege to restrict creation or modification of Ingress resources, preventing low-privileged (PR:L) attackers from exploiting the vulnerability.
Mandates timely flaw remediation by patching ingress-nginx to a fixed version, eliminating the configuration injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables RCE via config injection in public ingress controller (T1190), cluster privilege escalation from namespace-scoped access (T1068), and cluster-wide secret disclosure (T1552).
NVD Description
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to…
more
the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Deeper analysisAI
CVE-2025-15566 is a vulnerability in ingress-nginx, a Kubernetes ingress controller, where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation allows attackers to inject arbitrary configuration into the nginx process. This flaw enables arbitrary code execution within the context of the ingress-nginx controller and can result in the disclosure of Secrets accessible to the controller. In default installations, the controller has cluster-wide access to all Secrets. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-20 (Improper Input Validation). It was published on 2026-02-06.
An attacker with low privileges (PR:L), such as the ability to create or modify Ingress resources in a namespace, can exploit this over the network with low complexity and no user interaction required. Successful exploitation grants arbitrary code execution as the ingress-nginx controller process, allowing full control over the controller's capabilities, including high-impact confidentiality, integrity, and availability violations. Additionally, attackers can disclose any Secrets the controller can access, which spans the entire cluster in default configurations.
Mitigation details and further discussion are available in the Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/136789.
Details
- CWE(s)