Kubernetes Archives Ingress Nginx Amid Security Concerns

Severity: High (Score: 69.0)

Sources: Diginomica

Summary

On March 24, 2026, the Kubernetes project archived ingress nginx, rendering its GitHub repository read-only. This component, crucial for managing external traffic to applications in Kubernetes clusters, has been plagued by severe security vulnerabilities, including the IngressNightmare vulnerabilities disclosed in March 2025. The most critical of these, CVE-2025-1974, had a CVSS score of 9.8 and allowed unauthenticated remote code execution, affecting approximately 43% of cloud environments. Kat Cosgrove from the Kubernetes Steering Committee stated that the project's fundamental architecture made it unmaintainable and easy to exploit. Existing installations will continue to function, posing a risk of exploitation for organizations that do not proactively check their systems. The decision to archive ingress nginx was made after recognizing the long-standing issues with the project, which had been maintained by a small number of volunteers. This situation highlights the urgent need for organizations to reassess their reliance on this component. Key Points: • Ingress nginx archived on March 24, 2026, with no further support or patches. • CVE-2025-1974 allows unauthenticated remote code execution, affecting 43% of cloud environments. • Existing installations remain vulnerable, necessitating proactive checks by organizations.

Key Entities

• CVE-2025-1974 (cve)
• app.kubernetes.io (domain)
• Gateway API (platform)
• Ingress Nginx (platform)
• Kubernetes (platform)
• IngressNightmare (vulnerability)