CVE-2026-55723 PUBLISHED

NGINX Ingress Controller vulnerability

Assigner: f5
Reserved: 17.06.2026 Published: 15.07.2026 Updated: 15.07.2026

When NGINX Ingress Controller is configured with Custom Resource Definitions (CRDs) or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without sanitization. An authenticated attacker with permission to create or modify these CRDs or annotations may craft values that inject arbitrary NGINX configuration directives.

Impact: An authenticated attacker granted write access to NGINX Ingress Controller CRDs or Ingress annotations through the Kubernetes API may be able to inject arbitrary NGINX configuration directives, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor F5
Product NGINX Ingress Controller
Versions Default: unknown
  • affected from 5.0.0 to 5.5.2 (excl.)
  • affected from 2026-lts-r1 to 2026-lts-r3 (excl.)

Credits

  • F5 finder

References

Problem Types

  • CWE-76 Improper Neutralization of Equivalent Special Elements CWE