CVE-2024-7646

HIGH

Kubernetes ingress-nginx - Unauthenticated Command Injection via Ingress Annotation Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-7646. PoCs published by dovics, r0binak.

AI-analyzed exploit summary This PoC exploits CVE-2024-7646 in ingress-nginx to inject Lua code via the `auth-tls-verify-client` annotation, bypassing restrictions on `server-snippet`. It reads the Kubernetes service account token and exposes it via an HTTP endpoint, enabling privilege escalation.

Description

A security issue was discovered in ingress-nginx where an actor with permission to create Ingress objects (in the `networking.k8s.io` or `extensions` API group) can bypass annotation validation to inject arbitrary commands and obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.

Exploits (2)

nomisec WORKING POC 1 stars

by dovics · poc

https://github.com/dovics/cve-2024-7646

View Code ZIP pw:eip

This PoC exploits CVE-2024-7646 in ingress-nginx to inject Lua code via the `auth-tls-verify-client` annotation, bypassing restrictions on `server-snippet`. It reads the Kubernetes service account token and exposes it via an HTTP endpoint, enabling privilege escalation.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: ingress-nginx controller < v1.11.2 or < v1.10.4

Auth required

Prerequisites: Permission to create Ingress resources in the cluster · Access to a Kubernetes cluster with vulnerable ingress-nginx

MITRE ATT&CK

T1005 - Data from Local System T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by r0binak · poc

https://github.com/r0binak/CVE-2024-7646

View Code ZIP pw:eip

This PoC demonstrates a header injection vulnerability in Kubernetes Ingress NGINX, allowing arbitrary HTTP headers to be injected via the `server-snippet` annotation, leading to potential XSS or response splitting attacks.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Kubernetes Ingress NGINX (version not specified)

Auth required

Prerequisites: Access to create or modify Kubernetes Ingress resources

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/08/16/5

Issue Tracking issue-tracking

https://github.com/kubernetes/kubernetes/issues/126744

Mailing List mailing-list

https://groups.google.com/g/kubernetes-security-announce/c/a1__cKjWkfA

Issue Tracking patch

https://github.com/kubernetes/ingress-nginx/pull/11719

Issue Tracking patch

https://github.com/kubernetes/ingress-nginx/pull/11721

Scores

CVSS v3 8.8

EPSS 0.2601

EPSS Percentile 97.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (4)

Kubernetes/ingress-nginx < 1.10.4

Kubernetes/ingress-nginx 1.10.4

Kubernetes/ingress-nginx 1.11.0 - 1.11.2

Kubernetes/ingress-nginx 1.11.2

Published Aug 16, 2024

Tracked Since Feb 18, 2026