High severity8.8NVD Advisory· Published Aug 16, 2024· Updated Apr 15, 2026

CVE-2024-7646

Description

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the networking.k8s.io or extensions API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2024/08/16/5nvd
github.com/kubernetes/ingress-nginx/pull/11719nvd
github.com/kubernetes/ingress-nginx/pull/11721nvd
github.com/kubernetes/kubernetes/issues/126744nvd
groups.google.com/g/kubernetes-security-announce/c/a1__cKjWkfAnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.018
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000