DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-1580

High

Low Medium High Critical

8.8

CVSS Score

Published: Feb 03, 2026

Last Modified: Feb 04, 2026

CWE: CWE-20

Vulnerability Description

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Available Security Patches

2 patches available from vendors

View All Patches

Oracle

CPUAPR2026

Oracle Critical Patch Update Advisory - April 2026

Severity

Critical

Released

Apr 21, 2026

Restart Required

Security Update

View Details Vendor Page

SUSE

CVE-2026-1580

Severity

Unknown

Released

Mar 05, 2026

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

https://github.com/kubernetes/kubernetes/issues/136677
jordan@liggitt.net

Severity Details

8.8

out of 10.0

High

Weakness Type (CWE)

CWE-20 Top 25 #14

Improper Input Validation

Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Exploit Likelihood: High
Typical Severity: High
Abstraction Level: Class