Threat Research

Kubernetes project issues warning on Ingress NGINX retirement | Datadog Security Labs

DataDogHQ
Kubernetes project issues warning on Ingress NGINX retirement | Datadog Security Labs

Kubernetes has announced that Ingress NGINX will be retired after March 2026, meaning no further releases, bug fixes, or security patches will be provided and organizations must migrate away. The post highlights past critical flaws including the CVE-2025-1974 “IngressNightmare” RCE and urges immediate checks and migration planning to Gateway API–conformant controllers. #IngressNGINX #Kubernetes

Keypoints

  • Ingress NGINX will be retired after March 2026 with no further releases, bug fixes, or security updates.
  • The March 2025 “IngressNightmare” (CVE-2025-1974) was a CVSS 9.8 vulnerability enabling unauthenticated remote code execution and full Kubernetes cluster takeover.
  • Kubernetes and its Security Response Committees warn that remaining deployments will continue to operate but will not be patched, creating urgent migration pressure on discovery of future vulnerabilities.
  • About 50% of cloud native environments reportedly rely on Ingress NGINX, based on Datadog telemetry, making the retirement widely impactful.
  • Operators can detect Ingress NGINX with: kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx and via Datadog filtering image_name:registry.k8s.io/ingress-nginx/controller.
  • The recommended migration path is to choose a Gateway API–conformant controller, as Gateway API provides purpose-built CRDs for L4/L7 routing and improved security over annotation-based approaches.
  • Four new HIGH severity CVEs (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514) were disclosed on Feb 2, 2026, underscoring the ongoing risk of running unmaintained Ingress NGINX.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Ingress NGINX’s critical flaw was exploited to achieve unauthenticated remote code execution and cluster takeover (‘…a CVSS 9.8 critical flaw enabling unauthenticated remote code execution and complete Kubernetes cluster takeover.’)
  • [T1021] Remote Services – The vulnerability allowed remote execution against a network-exposed ingress controller, enabling remote attackers to run code on cluster components (‘…enabling unauthenticated remote code execution and complete Kubernetes cluster takeover.’)

Indicators of Compromise

  • [CVE ] known vulnerable identifiers – CVE-2025-1974 (IngressNightmare), CVE-2026-1580, and 3 more CVEs (CVE-2026-24512, CVE-2026-24513, CVE-2026-24514).
  • [Kubernetes selector/command ] detection command – kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx.
  • [Container image ] affected image names – registry.k8s.io/ingress-nginx/controller (Datadog filter: image_name:registry.k8s.io/ingress-nginx/controller).
  • [Product ] affected software – Ingress NGINX (product to check and migrate from), Gateway API (recommended migration target).

Read more: https://securitylabs.datadoghq.com/articles/kubernetes-ingress-nginx-retirement-warning/