Full Report
Kubernetes security advisory (AV26-208)
Analysis Summary
# Vulnerability: Kubernetes ingress-nginx Configuration Injection
## CVE Details
- **CVE ID:** CVE-2026-3288
- **CVSS Score:** Not explicitly listed in the advisory (Typically High/Critical for configuration injections)
- **CWE:** CWE-94 (Improper Control of Generation of Code - 'Code Injection') / CWE-77 (Command Injection)
## Affected Systems
- **Products:** Kubernetes ingress-nginx controller
- **Versions:**
- Versions prior to 1.13.8
- Versions prior to 1.14.4
- Versions prior to 1.15.0
- **Configurations:** Systems utilizing the `rewrite-target` annotation in Ingress objects.
## Vulnerability Description
This vulnerability involves an Nginx configuration injection flaw within the `rewrite-target` annotation of the Kubernetes `ingress-nginx` controller. An attacker with permissions to create or update Ingress objects can leverage a specially crafted `rewrite-target` value to inject arbitrary Nginx configuration directives. This occurs because the controller fails to properly sanitize the input before inserting it into the final `nginx.conf` file.
## Exploitation
- **Status:** Vulnerability disclosed; PoC status not explicitly confirmed in the brief but technically feasible for users with Ingress creation privileges.
- **Complexity:** Medium (Requires access to the Kubernetes API to modify Ingress objects).
- **Attack Vector:** Network (via Kubernetes API/Ingress submission).
## Impact
- **Confidentiality:** High (Potential to leak sensitive information, such as TLS certificates or backend credentials).
- **Integrity:** High (Potential to redirect traffic or alter headers).
- **Availability:** High (Potential to crash the Nginx process or cause a Denial of Service via malformed configurations).
## Remediation
### Patches
Users are advised to upgrade to the following versions or later:
- **v1.13.8**
- **v1.14.4**
- **v1.15.0**
### Workarounds
- Implement **Admission Controllers** (such as OPA Gatekeeper or Kyverno) to validate and sanitize the `nginx.ingress.kubernetes.io/rewrite-target` annotation.
- Restrict permissions to create/patch Ingress objects to trusted users only via **RBAC**.
## Detection
- **Indicators of compromise:** Audit logs showing unusual or non-standard Nginx directives (e.g., characters like `;`, `{`, `}`) within the `rewrite-target` annotation field.
- **Detection methods and tools:**
- Review Kubernetes Audit Logs for `patch` or `create` operations on Ingress resources.
- Inspect the generated `/etc/nginx/nginx.conf` inside the ingress-nginx pod for unexpected directives.
## References
- Kubernetes Security Advisory (CVE-2026-3288): hxxps[://]discuss[.]kubernetes[.]io/t/security-advisory-cve-2026-3288-ingress-nginx-rewrite-target-nginx-configuration-injection/34289
- Canadian Centre for Cyber Security Advisory (AV26-208): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/kubernetes-security-advisory-av26-208