CVE-2026-4342

High

Published: 19 March 2026

Published

19 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4342 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the improper input validation flaw in ingress-nginx, preventing arbitrary configuration injection and code execution via Ingress annotations.

SI-10 Information Input Validation good match

prevent

Requires validation of Ingress annotations as information inputs to block malicious nginx configuration injection leading to RCE.

AC-6 Least Privilege good match

prevent

Enforces least privilege via RBAC to restrict creation or modification of Ingress resources, blocking low-privilege attackers from exploiting the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vuln enables exploitation of public-facing ingress-nginx (T1190) for RCE-based privilege escalation from low-priv Ingress creator to controller (T1068) plus cluster secret disclosure (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…

to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Deeper analysisAI

CVE-2026-4342 is a vulnerability in ingress-nginx that enables attackers to use a combination of Ingress annotations to inject arbitrary configuration into nginx. This flaw allows arbitrary code execution within the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. In default installations, the controller has cluster-wide access to all Secrets. The issue, classified under CWE-20 (Improper Input Validation), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-19.

The attack requires network access and low privileges, such as those of a user able to create or modify Ingress resources in the Kubernetes cluster. Successful exploitation grants arbitrary code execution as the ingress-nginx controller process, enabling full control over the controller's capabilities, alongside exfiltration of all cluster Secrets accessible to it, which defaults to cluster-wide scope.

Mitigation details and further advisories are available in the referenced sources: https://github.com/kubernetes/kubernetes/issues/137893 and http://www.openwall.com/lists/oss-security/2026/03/19/9.

Details

CWE(s): CWE-20

CVEs Like This One

CVE-2026-1580Shared CWE-20

CVE-2025-15566Shared CWE-20

CVE-2025-30213Shared CWE-20

CVE-2026-2750Shared CWE-20

CVE-2025-59886Shared CWE-20

CVE-2026-24512Shared CWE-20

CVE-2025-40836Shared CWE-20

CVE-2025-27494Shared CWE-20

CVE-2025-1097Shared CWE-20

CVE-2026-24504Shared CWE-20

References

https://github.com/kubernetes/kubernetes/issues/137893
jordan@liggitt.net
http://www.openwall.com/lists/oss-security/2026/03/19/9
af854a3a-2127-422b-91ae-364da2661108