{"id":"CVE-2026-1580","details":"A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)","aliases":["BIT-nginx-ingress-controller-2026-1580","GHSA-9h3p-52vh-959w","GO-2026-4423"],"modified":"2026-03-23T05:03:07.515037053Z","published":"2026-02-03T23:16:06.290Z","related":["SUSE-SU-2026:0403-1"],"references":[{"type":"REPORT","url":"https://github.com/kubernetes/kubernetes/issues/136677"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1580.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}