This vulnerability arises from improper input validation (CWE-20) in the ingress-nginx Kubernetes controller's handling of the `nginx.ingress.kubernetes.io/rewrite-target` annotation. An attacker with at least limited privileges can craft ingress resources that inject arbitrary nginx configuration directives. This can lead to arbitrary code execution within the ingress-nginx controller process and unauthorized disclosure of Kubernetes Secrets accessible to the controller. The default ingress-nginx installation typically grants the controller cluster-wide access to Secrets, amplifying the impact. The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or official fix is currently documented, and no exploits are known in the wild.

Successful exploitation can lead to arbitrary code execution in the ingress-nginx controller context, allowing an attacker to execute commands with the controller's privileges. It also enables disclosure of Kubernetes Secrets accessible to the controller, which by default includes all cluster Secrets. This compromises confidentiality, integrity, and availability of the Kubernetes cluster resources managed by ingress-nginx.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict who can create or modify ingress resources with the `nginx.ingress.kubernetes.io/rewrite-target` annotation to trusted users only. Consider applying admission controls or validating ingress annotations to prevent malicious configuration injection. Monitor official Kubernetes ingress-nginx advisories for updates and patches.