Critical Kubernetes flaw

Kubernetes is the system many companies use to run dozens or hundreds of apps across clusters of servers, and an ingress controller is the traffic cop that decides which incoming web request goes to which app. The project at the center of this alert is ingress-nginx, a widely used controller that translates Kubernetes rules into live NGINX web server config. (kubernetes.io) That translation step is the dangerous part. If an attacker can smuggle extra text into the generated NGINX config, they can turn a routing rule into executable server instructions, which is what Kubernetes disclosed in CVE-2026-4342 on March 19, 2026. (discuss.kubernetes.io) The bug sits in Ingress annotations, which are little key-value notes attached to an Ingress object. Kubernetes said a combination of those annotations can inject configuration into NGINX comments and then break out into active directives. (github.com) Once that happens, the attacker is no longer just changing where traffic goes. The advisory says the flaw can lead to arbitrary code execution inside the ingress-nginx controller process and disclosure of Kubernetes Secrets the controller can read. (cve.org) That last detail is why this is worse than a normal web-server bug. In the default installation, the controller can access Secrets cluster-wide, so a compromise of one exposed front door can become a compromise of passwords, tokens, and certificates used by many workloads behind it. (github.com) The fixed releases are v1.13.9, v1.14.5, and v1.15.1, which means anything below those versions is in the danger zone. Belgium’s Center for Cybersecurity published the same version ranges and scored the issue 8.8 on the Common Vulnerability Scoring System, which is the industry’s standard severity scale. (ccb.belgium.be) The timing makes this uglier. Kubernetes announced in November 2025 that ingress-nginx would get only best-effort maintenance until March 2026, and after that there would be no further releases, bug fixes, or security updates for the project. (kubernetes.io) So this is not just a “patch when you get a chance” situation. If you are still on ingress-nginx after March 2026, every new flaw lands on software that the Kubernetes project has already said is retired, which is why the maintainers are pushing teams to upgrade immediately and plan a migration. (kubernetes.io) Kubernetes’ own migration advice points people toward Gateway API, which is the newer traffic-management model, or to other maintained ingress controllers if they still need the older Ingress pattern. Existing ingress-nginx deployments will keep running, but “still running” and “still getting security fixes” are now two different things. (kubernetes.io) The practical check is simple: if `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx` returns running pods, you have this component in your cluster and should verify the controller version against the patched releases. That one command is the difference between “not affected” and “front door exposed.” (github.com)