CVE-2026-1580 is an improper enter validation difficulty. If the Ingress NGINX controller is configured with a default custom-errors configuration that features HTTP errors 401 or 403, and if the configured default custom-errors backend is flawed and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation could also be accessed even when authentication fails.
CVE-2026-24512 is a configuration injection vulnerability the place the guidelines.http.paths.path Ingress discipline can be utilized to inject configuration into nginx. This may result in arbitrary code execution within the context of the ingress-nginx controller, and disclosure of secrets and techniques accessible to the controller.
“This can be a severe vulnerability,” commented Kellman Meghu, CTO of Canada’s DeepCove Cybersecurity, who has expertise with Ingress NGINX. “If I might exploit it, I might get the Ingress gateway to create a path on to inner assets. It’s like opening the insides that ought to by no means be uncovered. Will that result in additional publicity or hacks? In all probability, however when it comes to affect, it’s a primary step to realize entry into the atmosphere, and from there it might go additional, the least of which might be disruption of providers.”
