{"id":"CVE-2026-24512","details":"A security issue was discovered in ingress-nginx where the `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)","aliases":["BIT-nginx-ingress-controller-2026-24512","GHSA-jx8c-56mg-h6vp","GO-2026-4426"],"modified":"2026-03-23T05:12:09.180465Z","published":"2026-02-03T23:16:06.990Z","related":["SUSE-SU-2026:0403-1"],"references":[{"type":"REPORT","url":"https://github.com/kubernetes/kubernetes/issues/136678"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24512.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}