CVE-2026-55723

F5 · NGINX Ingress Controller

An injection vulnerability in the NGINX Ingress Controller configuration generator allows authenticated users to manipulate configurations via specific CRDs or Ingress annotations.

Executive summary

A high-severity injection vulnerability in the F5 NGINX Ingress Controller allows authenticated users to manipulate system configurations, potentially leading to unauthorized control.

Vulnerability

The vulnerability stems from improper neutralization of special elements within the configuration generator. Attackers with authenticated access can leverage specifically crafted Custom Resource Definitions or Ingress annotations to inject unintended commands or settings into the NGINX configuration.

Business impact

With a CVSS score of 8.3, this flaw poses a significant risk to the integrity of the networking infrastructure. An attacker could potentially redirect traffic, bypass security policies, or cause service disruptions, resulting in potential data interception or unauthorized access to backend services.

Remediation

Immediate Action: Apply the vendor-supplied security updates to reach version 5.5.2 or 2026-lts-r3 as specified in the F5 security advisory.

Proactive Monitoring: Monitor Kubernetes cluster logs and Ingress controller configuration change events for anomalous annotation usage or unexpected modifications.

Compensating Controls: Restrict permissions for creating or modifying Ingress resources and CRDs to highly trusted service accounts using Kubernetes RBAC.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations should audit their current NGINX Ingress Controller versions against the affected range and apply the necessary patches. Given the requirement for authenticated access, reinforcing RBAC policies alongside the update is essential to defense in depth.