A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.
The CVSS score for this vulnerability is 3.1, indicating a low severity level. Organizations must understand the implications of this vulnerability and assess their configurations. Given that it requires specific misconfigurations to be exploitable, the immediate threat may be lower; however, it is critical that affected users ensure proper configurations are in place.
Risk to organizations includes unauthorized access to resources that should be protected by authentication mechanisms. Organizations should prioritize reviewing their ingress-nginx configurations to mitigate potential risks.
Organizations should address this vulnerability in their priority patch cycle, ensuring that any misconfigurations are corrected and that the ingress-nginx controller is functioning as expected.
The vulnerability was published on February 3, 2026. Given the low CVSS score and the specific circumstances required for exploitation, organizations may consider scheduling remediation within their routine maintenance activities.
No public exploit has been confirmed nor is there an indication of active exploitation in the wild at this time, but vigilance is always recommended.
For ongoing security improvement, organizations should implement best practices for ingress-nginx configurations and conduct regular security assessments to identify similar vulnerabilities.
Security teams should consider leveraging resources such as application security assessments to further secure their environments.
Security teams should monitor for any changes in this vulnerability's status and engage in discussions around best practices for configuration management.
For further insights into similar vulnerabilities and their management, refer to the following resources: vulnerability management programs and penetration testing methodologies which can provide further context and approaches to handle vulnerabilities effectively.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)