CVE-2026-24513
Description
A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration.
If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.
Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/ingress-nginxGo | < 1.13.7 | 1.13.7 |
k8s.io/ingress-nginxGo | >= 1.14.0, < 1.14.3 | 1.14.3 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/ingress-nginx-controller-1.15pkg:apk/chainguard/ingress-nginx-controller-fips-1.15pkg:apk/wolfi/ingress-nginx-controller-1.15pkg:golang/k8s.io/ingress-nginxpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.13.7
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.