CVE-2026-24513

ingress-nginx auth-url protection bypass

Assigner: kubernetes
Reserved: 23.01.2026 Published: 03.02.2026 Updated: 06.02.2026

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration.

If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.

Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Kubernetes
Product	ingress-nginx
Versions	Default: affected affected from 0 to 1.13.7 (excl.) affected from 0 to 1.14.2 (excl.)

Vendor

Kubernetes

Product

ingress-nginx

Versions

Default: affected

affected from 0 to 1.13.7 (excl.)
affected from 0 to 1.14.2 (excl.)

Credits

Aurelia Schittler finder

References

Problem Types

CWE-754 Improper Check for Unusual or Exceptional Conditions CWE

Impacts

CAPEC-115 Authentication Bypass