CVE-2026-1580
Published: 03 February 2026
Summary
CVE-2026-1580 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of Ingress annotations to prevent arbitrary nginx configuration injection due to improper input validation (CWE-20).
Requires identification, reporting, and correction of flaws like this ingress-nginx vulnerability to eliminate arbitrary code execution and Secret disclosure risks.
Enforces least privilege on Kubernetes RBAC to restrict Ingress resource creation or modification to authorized users only, limiting low-privilege (PR:L) exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Ingress annotation injection enables RCE on public-facing ingress-nginx (T1190) with cluster-wide Secret access, directly supporting privilege escalation (T1068) and credential disclosure (T1552).
NVD Description
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to…
more
the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Deeper analysisAI
CVE-2026-1580 is a vulnerability in ingress-nginx that allows the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation to inject arbitrary configuration into nginx. This issue affects the ingress-nginx controller in Kubernetes clusters and can result in arbitrary code execution within the controller's context as well as disclosure of Secrets accessible to the controller. In default installations, the controller has cluster-wide access to all Secrets. Published on 2026-02-03, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-20 (Improper Input Validation).
An attacker requires low privileges (PR:L), such as the ability to create or modify Ingress resources, to exploit this over the network with low complexity and no user interaction. Successful exploitation enables arbitrary code execution in the ingress-nginx controller's context, high-impact confidentiality loss through Secret disclosure, high integrity and availability impacts, and unchanged scope.
Mitigation details and related discussion are available in the Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/136677.
Details
- CWE(s)