CVE Tools
Sign in

CVE-2026-24513

ingress-nginx auth-url protection bypass

Published: Feb 3, 2026Updated: Feb 4, 2026 Sources: CVE List NVD GHSA BDUCWE-754
NVD MITRE
3.1CVSSLOW
EPSS Score
0.3%
Top 80.7%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component.

CVSS Vector Breakdown

AV:NAC:HPR:LUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-754

Affected Products

РЕД ОСООО «Ред Софт»
On-premOS
Operating Systems / linux-distro
ingress-nginxThe Kubernetes Authors
Mixed
Cloud & SaaS / container-orchestration
ingress-nginxKubernetesCloud & SaaS
k8s.io/ingress-nginxGoOSS Libraries
ооо «ред софт»commercialRUOperating Systemsaka red soft
the kubernetes authorsoss-projectCloud & SaaSaka kubernetes
kubernetesoss-projectUSCloud & SaaSaka k8s
gopackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/kubernetes/kubernetes/issues/136679
github.com
https://github.com/kubernetes/ingress-nginx
github.com
https://github.com/kubernetes/kubernetes/issues/136679
github.com
and 4 more references View all →

Timeline

Published
Feb 3, 2026
Last Updated
Feb 4, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-24513 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows