k8s.io/ingress-nginx (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package k8s.io/ingress-nginx, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (17)
CVE-2025-1974 — CVSS 9.8 (critical): A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network…
CVE-2026-4342 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx…
CVE-2025-1097 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress…
CVE-2025-1098 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host`…
CVE-2025-24514 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be…
CVE-2026-1580 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to…
CVE-2026-24512 — CVSS 8.8 (high): A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into…
CVE-2021-25748 — CVSS 7.6 (high): A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to…
CVE-2021-25745 — CVSS 7.6 (high): A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[…
CVE-2026-24514 — CVSS 6.5 (medium): A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service…
CVE-2020-8553 — CVSS 5.9 (medium): The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create…
CVE-2018-1002104 — CVSS 5.3 (medium): Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.
CVE-2025-24513 — CVSS 4.8 (medium): A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a…
CVE-2026-24513 — CVSS 3.1 (low): A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in…