High severity8.8NVD Advisory· Published Mar 9, 2026· Updated May 6, 2026

CVE-2026-3288

Description

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected products

Bvabhishek/Cve 2026 3288 Labreferences
Kubernetes/Ingress Nginx
cpe:2.3:a:kubernetes:ingress-nginx:*:*:*:*:*:*:*:*
Range: <1.13.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/03/09/8nvdMailing ListThird Party Advisory
github.com/kubernetes/kubernetes/issues/137560nvdIssue TrackingThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000