Upstream Ingress-Nginx CVEs - CVE-2025-15566, CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514

Article Number: 000022374

Environment

• A Rancher-provisioned or standalone RKE2 cluster with the ingress-nginx Ingress controller.

• ingress-nginx versions:

• < v1.13.7

• v1.14.x < v1.14.3

• RKE2 versions (affected):

• <= v1.32.11+rke2r1

• v1.33 <= v1.33.7+rke2r1
• v1.34 <= v1.34.3+rke2r1
• v1.35.0+rke2r1

Situation

The upstream Kubernetes project announced, on February 1st and 5th of 2026, multiple security vulnerabilities affecting the ingress-nginx component:

• CVE-2025-15566
• CVE-2026-1580
• CVE-2026-24512
• CVE-2026-24513
• CVE-2026-24514

If a cluster is not running ingress-nginx - for example, if it is running the Traefik Ingress controller instead - it is unaffected. You can verify the presence of the RKE2 ingress-nginx instance using the following command:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=rke2-ingress-nginx

Note: K3s clusters utilize the Traefik Ingress controller by default and are not affected by these ingress-nginx issues unless you have manually deployed a custom instance of ingress-nginx.

Cause

Multiple security issues were discovered in the ingress-nginx controller that could allow an attacker to bypass security controls or execute arbitrary code. The vulnerabilities are categorized as follows:

1. Configuration Injection (CVE-2025-15566, CVE-2026-1580, CVE-2026-24512): Improper validation of the auth-proxy-set-headers and auth-method annotations, and handling of ImplementationSpecific path types, allows an attacker to inject configuration into the generated nginx configuration. This can lead to arbitrary code execution, and disclosure of Kubernetes Secrets accessible to the controller. Note: In default installations, the ingress-nginx controller has permissions to access all Secrets cluster-wide.
2. Authentication Bypass (CVE-2026-24513): Insufficient validation of the X-Code header when using a custom error backend could allow an Ingress with the auth-url annotation to be accessed even when authentication fails.
3. Denial of Service (CVE-2026-24514): A vulnerability in the controller's internal processing, could lead to OOM events for ingress-nginx controller Pods or Nodes, as a result of large requests sent to the ingress-nginx validating admission controller.

Resolution

Upgrade RKE2

The primary resolution is to upgrade to an RKE2 patch release containing the ingress-nginx fixes. Upgrade to one of the following versions (or later), which package a patched version of ingress-nginx:

• v1.35.0+rke2r3
• v1.34.3+rke2r3
• v1.33.7+rke2r3
• v1.32.11+rke2r3

Workarounds

If you are unable to upgrade your RKE2 version immediately, consider the following mitigation steps:

• CVE-2025-15566: Use a validating admission controller to reject Ingress resources containing the nginx.ingress.kubernetes.io/auth-proxy-set-headers annotation.
• CVE-2026-1580: Use a validating admission controller to reject Ingress resources containing the nginx.ingress.kubernetes.io/auth-method annotation.
• CVE-2026-24512: Use a validating admission controller to reject Ingress resources with the ImplementationSpecific path type.
• CVE-2026-24513: Verify that any custom errors backend (if configured) correctly respects and validates the X-Code HTTP header.
• CVE-2026-24514: No mitigation is available for this specific vulnerability. An upgrade to a patched version is required.