ingress-nginx has Improper Check for Unusual or Exceptional Conditions

GHSA-4g2f-xcph-2335 · CVE-2026-24513 · GO-2026-4419

Published Feb 4, 2026 · Modified May 20, 2026

Description

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration.

If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.

Note that the built-in custom-errors backend works correctly. Triggering this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-24513
WEB https://github.com/kubernetes/kubernetes/issues/136679
PACKAGE https://github.com/kubernetes/ingress-nginx

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes