Cyber Resilience

CVE-2026-4342

High

Published: 19 March 2026

Published
19 March 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0149 70.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4342 is a high-severity Improper Input Validation (CWE-20) vulnerability in Kubernetes Nginx Ingress Controller. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4342 is a vulnerability in ingress-nginx that enables attackers to use a combination of Ingress annotations to inject arbitrary configuration into nginx. This flaw allows arbitrary code execution within the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. In default installations, the controller has cluster-wide access to all Secrets. The issue, classified under CWE-20 (Improper Input Validation), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-19.

The attack requires network access and low privileges, such as those of a user able to create or modify Ingress resources in the Kubernetes cluster. Successful exploitation grants arbitrary code execution as the ingress-nginx controller process, enabling full control over the controller's capabilities, alongside exfiltration of all cluster Secrets accessible to it, which defaults to cluster-wide scope.

Mitigation details and further advisories are available in the referenced sources: https://github.com/kubernetes/kubernetes/issues/137893 and http://www.openwall.com/lists/oss-security/2026/03/19/9.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…

more

to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vuln enables exploitation of public-facing ingress-nginx (T1190) for RCE-based privilege escalation from low-priv Ingress creator to controller (T1068) plus cluster secret disclosure (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3288Same vendor: Kubernetes
CVE-2026-1580Shared CWE-20
CVE-2025-15566Shared CWE-20
CVE-2026-2750Shared CWE-20
CVE-2025-27494Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2026-24512Shared CWE-20
CVE-2025-30213Shared CWE-20
CVE-2025-40836Shared CWE-20
CVE-2026-24504Shared CWE-20

Affected Assets

kubernetes
nginx ingress controller
1.15.0 · ≤ 1.13.9 · 1.14.0 — 1.14.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the improper input validation flaw in ingress-nginx, preventing arbitrary configuration injection and code execution via Ingress annotations.

prevent

Requires validation of Ingress annotations as information inputs to block malicious nginx configuration injection leading to RCE.

prevent

Enforces least privilege via RBAC to restrict creation or modification of Ingress resources, blocking low-privilege attackers from exploiting the vulnerability.

References