CVE-2026-3288
Published: 09 March 2026
Summary
CVE-2026-3288 is a high-severity Improper Input Validation (CWE-20) vulnerability in Kubernetes Ingress-Nginx. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3288, published on 2026-03-09, is a vulnerability in the ingress-nginx controller for Kubernetes. It stems from improper handling of the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation, which allows attackers to inject arbitrary configuration into the underlying nginx process. This can result in arbitrary code execution within the context of the ingress-nginx controller pod, as well as disclosure of Kubernetes Secrets accessible to the controller. In default installations, the controller has cluster-wide read access to all Secrets. The issue is rated at CVSS v3.1 score 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-20: Improper Input Validation.
Exploitation requires low privileges, specifically the ability to create or modify Ingress resources in a targeted namespace, and can be performed remotely over the network with low complexity and no user interaction. A successful attack grants arbitrary code execution as the ingress-nginx controller, enabling high confidentiality, integrity, and availability impacts. Attackers can also exfiltrate sensitive Secrets, potentially exposing cluster-wide credentials in default configurations.
Advisories and related resources, including the Kubernetes issue tracker (https://github.com/kubernetes/kubernetes/issues/137560), OSS-Security mailing list (http://www.openwall.com/lists/oss-security/2026/03/09/8), and a proof-of-concept lab (https://github.com/bvabhishek/CVE-2026-3288-lab), provide further details on the issue and potential mitigations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10360
Vulnerability details
A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to…
more
the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public ingress controller enables T1190 exploitation for RCE (T1059.004 Unix shell in container) and secret disclosure (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses CWE-20 improper input validation by requiring validation mechanisms for the rewrite-target annotation to prevent malicious configuration injection.
Ensures timely flaw remediation through patching the ingress-nginx controller vulnerability to eliminate the improper handling of the annotation.
Enforces least privilege to restrict low-privileged users from creating or modifying Ingress resources necessary for exploitation.