Critical ingress-nginx zero-day

A Kubernetes ingress controller is the traffic cop that decides which app gets a web request after it reaches your cluster. ingress-nginx has been one of the most common versions of that traffic cop, and the Kubernetes project said in November 2025 that it would stop getting maintenance in March 2026. (kubernetes.io) That deadline has now passed. The ingress-nginx repository was archived and made read-only on March 24, 2026, which means no new releases, no bug fixes, and no future security patches from the project itself. (github.com) The new problem is a flaw tracked as CVE-2026-4342. The Kubernetes Security Response Committee said on March 19, 2026 that a combination of ingress annotations can inject configuration into NGINX and lead to arbitrary code execution inside the ingress-nginx controller. (discuss.kubernetes.io) An annotation is just a little note attached to a Kubernetes object, but ingress-nginx reads some of those notes as instructions for how to build its web server config. In this bug, those notes can be turned into a way to smuggle attacker-controlled config into NGINX. (discuss.kubernetes.io) Once code runs inside that controller, the blast radius gets ugly fast. GitHub’s advisory says the bug can expose Secrets the controller can read, and the Kubernetes advisory notes that the default installation can access Secrets across the whole cluster. (github.com) (discuss.kubernetes.io) The vulnerability was rated High with a Common Vulnerability Scoring System score of 8.8. The affected maintained lines were anything below versions 1.13.9, 1.14.5, and 1.15.1, and those three versions were the fixes released by the project before retirement. (discuss.kubernetes.io) That is where the end-of-life problem turns a bad bug into an urgent one. The retirement notice says that after March 2026 there will be no further releases to resolve newly discovered security vulnerabilities, so clusters still pinned to older unsupported builds should not expect a rescue patch later. (kubernetes.github.io) This was not even the first code-execution bug in the project in the last year. In March 2025, Kubernetes disclosed CVE-2025-1974, a Critical issue with a Common Vulnerability Scoring System score of 9.8 that was fixed in versions 1.11.5 and 1.12.1. (kubernetes.io) (github.com) There was another High-severity ingress-nginx injection bug just ten days earlier, CVE-2026-3288, fixed in versions 1.13.8, 1.14.4, and 1.15.0. The pattern is that the maintained branches were still getting emergency fixes right up until retirement, while anything older was already stranded. (discuss.kubernetes.io) If a team still runs ingress-nginx, the first check is simple: list pods with the label `app.kubernetes.io/name=ingress-nginx` and confirm the controller version against the fixed releases. The Kubernetes advisory also says suspicious data in the `rules.http.paths.path` field of an Ingress resource can be a sign of exploitation. (discuss.kubernetes.io) The longer-term answer is not to wait for the next advisory. Kubernetes now recommends moving off ingress-nginx entirely, with Gateway Application Programming Interface named as the modern replacement, because archived infrastructure software keeps routing traffic but stops getting safer. (kubernetes.io)