CVE-2026-24513 concerns a security flaw in the Kubernetes ingress-nginx controller involving the auth-url Ingress annotation, which is designed to enforce authentication on incoming requests. The vulnerability manifests when ingress-nginx is configured with a custom default error backend that handles HTTP 401 (Unauthorized) or 403 (Forbidden) responses but is defective in that it fails to respect the X-Code HTTP header. This header is critical for ingress-nginx to correctly interpret authentication failure responses. If the backend ignores this header, ingress-nginx may mistakenly allow access to resources protected by the auth-url annotation, effectively bypassing authentication controls. The built-in custom-errors backend does not exhibit this flaw, so the issue only arises if an administrator explicitly configures a broken external error backend. The vulnerability is classified under CWE-754, which involves improper checks for unusual or exceptional conditions, in this case, the failure to correctly handle authentication failure signals. The CVSS v3.1 base score is 3.1 (low), reflecting the requirement for a specific misconfiguration, limited impact on confidentiality (partial bypass), no impact on integrity or availability, and the need for low privileges to exploit without user interaction. No patches or exploits are currently reported, but administrators should be cautious when deploying custom error backends with ingress-nginx.

The primary impact of this vulnerability is a partial bypass of authentication controls enforced by the auth-url annotation in ingress-nginx, potentially allowing unauthorized access to protected Ingress resources. This could lead to exposure of sensitive internal services or data that rely on ingress-nginx for access control. However, the impact is limited because exploitation requires a specific misconfiguration involving a defective custom error backend that mishandles HTTP 401/403 responses. There is no direct impact on data integrity or service availability, and the vulnerability does not allow privilege escalation or remote code execution. Organizations using the default built-in error backend are not affected. The risk is mainly to environments where administrators have customized error handling without fully validating the backend’s behavior. This could affect multi-tenant Kubernetes clusters or environments with strict access control requirements, potentially undermining security policies and compliance.

To mitigate this vulnerability, organizations should avoid configuring ingress-nginx with custom default error backends that handle HTTP 401 or 403 errors unless the backend is fully verified to respect the X-Code HTTP header correctly. Administrators should: 1) Use the built-in custom-errors backend provided by ingress-nginx, which is confirmed to handle authentication failure headers properly. 2) If a custom error backend is necessary, thoroughly test it to ensure it respects the X-Code HTTP header and correctly signals authentication failures to ingress-nginx. 3) Review and audit ingress-nginx configurations to detect any use of external custom error backends and validate their behavior. 4) Monitor ingress-nginx logs for unexpected access patterns or authentication bypass attempts. 5) Keep ingress-nginx and Kubernetes components updated to incorporate any future patches addressing this issue. 6) Implement defense-in-depth by combining ingress-nginx authentication with additional network segmentation and access controls to limit exposure if bypass occurs.