CVE-2026-1580 — Vulnetix

CVE-2026-1580 PUBLISHED

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

EPSS 0.05% · 16.4th percentile

Risk Scores

EPSS Score

0.05%

16.4th percentile

Affected Products

Vendor	Product	Versions
Bitnami	nginx-ingress-controller	1.14.0, 0
Bitnami	nginx-ingress-controller	1.14.0, 0

Timeline

Feb 2, 2026 PoC Published
Feb 3, 2026 PoC Published
Feb 3, 2026 PoC Published
Feb 3, 2026 PoC Published
Feb 3, 2026 PoC Published
Feb 3, 2026 CVE Published
Feb 3, 2026 PoC Published
Feb 3, 2026 PoC Published
Feb 4, 2026 CVE Updated
Feb 4, 2026 EPSS Score
Feb 4, 2026 PoC Published
Feb 4, 2026 PoC Published

References

https://github.com/kubernetes/kubernetes/issues/136677 url
https://nvd.nist.gov/vuln/detail/CVE-2026-1580 url

Open in Interactive Console →