Critical Zero-Day Patched in Popular Nginx Ingress Controller
A severe zero-day vulnerability was disclosed and patched over the weekend in the widely used NGINX Ingress Controller for Kubernetes, prompting emergency updates across enterprise cloud environments.
Tracked as CVE-2026-23091 with a CVSS score of 9.8, the flaw allows unauthenticated, remote attackers to achieve arbitrary code execution (RCE) by bypassing the controller's annotation sanitization filters. By sending specially crafted HTTP requests carrying malicious configuration snippets, an attacker can force the ingress controller to overwrite its own core configuration files.
Because the ingress controller operates as the primary gateway for routing external traffic into a Kubernetes cluster, successfully exploiting this vulnerability effectively hands an attacker full control over the underlying container network.
"This isn't just a theoretical bypass," said Dr. Aris Thorne, Lead Threat Analyst at CloudSec Dynamics. "The ingress controller sits at the very edge of the cluster and requires elevated privileges to function correctly. If an attacker pops the ingress pod, they can effortlessly pivot, intercept sensitive API tokens, and escalate privileges across the entire internal Kubernetes network."
The Kubernetes security response committee was alerted to the vulnerability late Thursday evening after an independent security researcher observed anomalous traffic patterns in a honeypot environment. Maintainers pushed out out-of-band patches within 24 hours of the initial responsible disclosure, but the widespread deployment of the NGINX controller means thousands of clusters may still be exposed.
According to the official advisory, the vulnerability specifically affects environments where the `allow-snippet-annotations` setting is enabled—a common configuration used by administrators to inject custom NGINX rules into standard ingress objects.
Administrators are urged to immediately upgrade to version 1.15.3 or newer. For environments where immediate patching is not feasible, the Kubernetes security team recommends strictly disabling snippet annotations via a centralized policy engine, though this may temporarily break advanced routing rules.