Security Bulletin
Summary
IBM Cloud Kubernetes Service is affected by multiple Kubernetes Ingress Controller security vulnerabilities.
- A user with access to create or update Ingress objects can use the rules.http.paths.path Ingress field to inject configuration into nginx (CVE-2026-24512)
- The nginx.ingress.kubernetes.io/auth-method annotation can be used to inject configuration into nginx (CVE-2026-1580)
- The protection afforded by the nginx.ingress.kubernetes.io/auth-url annotation may not be effective in the presence of a specific misconfiguration (CVE-2026-24513)
- If the Ingress Validation Webhook feature has been explicitly enabled, sending large requests to the validating admission controller can increase memory consumption and result in the ingress-nginx controller pod being killed (CVE-2026-24514)
These vulnerabilities are relevant mainly in multi-tenant environments where non-admin users have permissions to create Ingress objects.
Note: IBM Cloud Kubernetes Service is not affected by Kubernetes Ingress Controller security vulnerabilities related to the Validating Admission Controller functionality of ingress-nginx (CVE-2026-24512), unless the Ingress Validation Webhook feature has been expicitely enabled.
Vulnerability Details
CVEID: CVE-2026-24513
The protection afforded by the nginx.ingress.kubernetes.io/auth-url annotation may not be effective in the presence of a specific misconfiguration
CWE: CWE-754
CVSS Source: https://github.com/kubernetes/kubernetes/issues/136679
CVSS Base Score: 3.1 Low
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEID: CVE-2026-1580
The nginx.ingress.kubernetes.io/auth-method annotation can be used to inject configuration into nginx
CWE: CWE-20
CVSS Source: https://github.com/kubernetes/kubernetes/issues/136677
CVSS Base Score: 8.8 High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEID: CVE-2026-24514
If the Ingress Validation Webhook feature has been explicitly enabled, sending large requests to the validating admission controller can increase memory consumption and result in the ingress-nginx controller pod being killed
CWE: CWE-770
CVSS Source: https://github.com/kubernetes/kubernetes/issues/136680
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVEID: CVE-2026-24512
A user with access to create or update Ingress objects can use the rules.http.paths.path Ingress field to inject configuration into nginx
CWE: CWE-20
CVSS Source: https://github.com/kubernetes/kubernetes/issues/136678
CVSS Base Score: 8.8 High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products and Versions
IBM Cloud Kubernetes Service clusters with Kubernetes Ingress Controllers (ALB) with versions below 1.11.2_315162975_iks, 1.12.1_315163011_iks, 1.13.2_315158234_iks build versions.
Remediation/Fixes
Action Required
No action required if automatic updates for the Kubernetes Ingress Controllers (ALBs) are enabled.
To check whether automatic updates for the Kubernetes Ingress Controllers (ALBs) are enabled, run ibmcloud ks ingress alb autoupdate get
If automatic updates are disabled, manually update to one of the supported Kubernetes Ingress Controller (ALB) versions.
ibmcloud ks ingress alb update --version 1.12.1_315163011_iks
To see supported Kubernetes Ingress Controller (ALB) versions, run: ibmcloud ks ingress alb version
Kubernetes Ingress versions
1.11.2_315162975_iks
1.12.1_315163011_iks (default)
1.13.2_315158234_iks
To see Kubernetes Ingress Controller (ALB) versions running in the cluster, run: ibmcloud ks ingress alb ls
Get Notified about Future Security Bulletins
References
https://github.com/kubernetes/kubernetes/issues/136680
https://github.com/kubernetes/kubernetes/issues/136679
https://github.com/kubernetes/kubernetes/issues/136678
https://github.com/kubernetes/kubernetes/issues/136677
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Product Synonym
IKS; ROKS;
Was this topic helpful?
Document Information
Modified date:
11 February 2026
UID
ibm17259628