Cyber Resilience

CVE-2026-3288

High

Published: 09 March 2026

Published
09 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0667 93.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3288 is a high-severity Improper Input Validation (CWE-20) vulnerability in Kubernetes Ingress-Nginx. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3288, published on 2026-03-09, is a vulnerability in the ingress-nginx controller for Kubernetes. It stems from improper handling of the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation, which allows attackers to inject arbitrary configuration into the underlying nginx process. This can result in arbitrary code execution within the context of the ingress-nginx controller pod, as well as disclosure of Kubernetes Secrets accessible to the controller. In default installations, the controller has cluster-wide read access to all Secrets. The issue is rated at CVSS v3.1 score 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-20: Improper Input Validation.

Exploitation requires low privileges, specifically the ability to create or modify Ingress resources in a targeted namespace, and can be performed remotely over the network with low complexity and no user interaction. A successful attack grants arbitrary code execution as the ingress-nginx controller, enabling high confidentiality, integrity, and availability impacts. Attackers can also exfiltrate sensitive Secrets, potentially exposing cluster-wide credentials in default configurations.

Advisories and related resources, including the Kubernetes issue tracker (https://github.com/kubernetes/kubernetes/issues/137560), OSS-Security mailing list (http://www.openwall.com/lists/oss-security/2026/03/09/8), and a proof-of-concept lab (https://github.com/bvabhishek/CVE-2026-3288-lab), provide further details on the issue and potential mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to…

more

the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln in public ingress controller enables T1190 exploitation for RCE (T1059.004 Unix shell in container) and secret disclosure (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4342Same vendor: Kubernetes
CVE-2026-34980Shared CWE-20
CVE-2025-63213Shared CWE-20
CVE-2024-56135Shared CWE-20
CVE-2025-30452Shared CWE-20
CVE-2025-14558Shared CWE-20
CVE-2024-56131Shared CWE-20
CVE-2026-32604Shared CWE-20
CVE-2026-24512Shared CWE-20
CVE-2024-56133Shared CWE-20

Affected Assets

kubernetes
ingress-nginx
≤ 1.13.8 · 1.14.0 — 1.14.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CWE-20 improper input validation by requiring validation mechanisms for the rewrite-target annotation to prevent malicious configuration injection.

prevent

Ensures timely flaw remediation through patching the ingress-nginx controller vulnerability to eliminate the improper handling of the annotation.

prevent

Enforces least privilege to restrict low-privileged users from creating or modifying Ingress resources necessary for exploitation.

References