Ingress‑NGINX zero‑day exposed

Fixed releases addressing CVE‑2026‑4342 are ingress‑nginx controller v1.13.9, v1.14.5 and v1.15.1; versions earlier than those are listed as vulnerable in the Kubernetes security advisory. (discuss.kubernetes.io) Presence checks and simple indicators are published: run kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx to find controllers, and the advisory flags suspicious values in the Ingress object field rules.http.paths.path as an indicator of attempted configuration injection. (github.com) The advisory reiterates the blast radius: in default installations the ingress‑nginx controller can access Secrets cluster‑wide, and CVE records assign the issue CVSS 3.1 base score 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). (cvefeed.io) As of the public disclosures on March 19–20, 2026 there were no confirmed reports of active exploitation, while the issue was recorded in the GitHub Advisory Database and announced by the Kubernetes Security Response Committee on March 19, 2026. (cvetodo.com) Vendor and incident‑response guidance being circulated recommends reducing the attack surface when an immediate upgrade is not possible: lock down who can create/modify Ingress objects via RBAC, minimize the ingress‑nginx ServiceAccount permissions and namespace scope, and apply network policies to restrict controller egress. (sentinelone.com) Operational planning note: the ingress‑nginx project page states best‑effort maintenance through March 2026, which increases reliance on timely upgrades to the fixed controller releases for organizations running legacy branches in AWS GovCloud or classified enclaves. (kubernetes.github.io)