Description

A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

INFO

Published Date :

2026-02-03T22:17:17.315Z

Last Modified :

2026-02-18T17:29:42.496Z

Source :

kubernetes
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24513 vulnerability.

Vendors Products
Kubernetes
  • Ingress-nginx
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24513.

URL Resource
https://github.com/kubernetes/kubernetes/issues/136679 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact