Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes

On March 9, 2026, a critical fix for CVE-2026-3288 was merged into the Kubernetes ingress-nginx project to address a configuration injection vulnerability in the NGINX Ingress Controller, allowing any user with permission to create or modify Ingress resources to inject arbitrary nginx configuration directives by manipulating the Ingress path field. This vulnerability can lead to remote code execution and the disclosure of secrets, posing significant security risks. It is closely related to CVE-2026-24512, which was addressed earlier but left certain areas vulnerable due to incomplete sanitization efforts, specifically in the buildProxyPass() function. The Sysdig Threat Research Team analyzed these vulnerabilities and developed a Falco detection rule to identify exploitation attempts through Kubernetes audit logs. Organizations are advised to update to the latest fixed versions, v1.13.8, v1.14.4, or v1.15.0, and implement detection mechanisms to mitigate the risks. This issue underscores the ongoing challenges of safely handling user-controlled input within nginx configuration templates, as seen in previous ingress-nginx vulnerabilities.