CVE-2026-1580 is an improper input validation issue. If the Ingress NGINX controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the auth-url annotation may be accessed even when authentication fails.
CVE-2026-24512 is a configuration injection vulnerability where the rules.http.paths.path Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of secrets accessible to the controller.
“This is a serious vulnerability,” commented Kellman Meghu, CTO of Canada’s DeepCove Cybersecurity, who has experience with Ingress NGINX. “If I could exploit it, I could get the Ingress gateway to create a path directly to internal resources. It’s like opening the insides that should never be exposed. Will that lead to further exposure or hacks? Probably, but in terms of impact, it’s a first step to gain access into the environment, and from there it could go further, the least of which would be disruption of services.”
