VDB
CVE-2026-24513
CVE-2026-24513
PUBLISHED
A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
EPSS 0.01% · 2.8th percentile
Risk Scores
EPSS Score
0.01%
2.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | nginx-ingress-controller | 0, 1.14.0 |
| Bitnami | nginx-ingress-controller | 1.14.0, 0 |
Timeline
- Feb 2, 2026 PoC Published
- Feb 3, 2026 PoC Published
- Feb 3, 2026 PoC Published
- Feb 3, 2026 CVE Published
- Feb 4, 2026 EPSS Score
- Feb 4, 2026 PoC Published
- Feb 4, 2026 PoC Published
- Feb 4, 2026 PoC Published
- Feb 4, 2026 PoC Published
- Feb 5, 2026 PoC Published
- Feb 6, 2026 EPSS Score
- Feb 8, 2026 EPSS Score