CVE-2026-24513
Description
A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration.
If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.
Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/ingress-nginxGo | < 1.13.7 | 1.13.7 |
k8s.io/ingress-nginxGo | >= 1.14.0, < 1.14.3 | 1.14.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
4- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- Identity is the control plane for distributed infrastructureHelp Net Security · May 1, 2026
- TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)SANS Internet Storm Center · Apr 27, 2026
- ‘CanisterWorm’ Springs Wiper Attack Targeting IranKrebs on Security · Mar 23, 2026