[Security Advisory] CVE-2021-25746: Ingress-nginx directive injection via annotations Issue Details A security issue was discovered in where a user that can create or update ingress objects can use in an Ingress object (in the or API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L), and assigned CVE-2021-25746. Affected Components and Configurations This bug affects . If you do not have installed on your cluster, you are not affected. You can check this by running . Multitenant environments where non-admin users have permissions to create Ingress objects are most affected by this issue. Affected Versions <v1.2.0 Fixed Versions v1.2.0-beta.0 v1.2.0 Mitigation If you are unable to roll out the fix, this vulnerability can be mitigated by implementing an admission policy that restricts the values to known safe (see the newly added rules, or the suggested value for annotation-value-word-blacklist).