Kong Ingress Controller for Kubernetes (KIC): Secret-backed plugin configurations leak through non-sensitive diagnostics endpoint — GHSA-3278-C88V-XRH4

GitHub · GitHub · GHSA-3278-C88V-XRH4

ID
GHSA-3278-C88V-XRH4

Date
2026-05-19

Activity
2026-05-19

Source
GitHub

Vendor
GitHub

Threat
medium

CVSS
4.9

Summary

## Summary A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using `--dump-sensitive-config=false`), KIC fails to sanitize the `Plugins` field in diagnostic configuration dumps. This causes secrets referenced via `configFrom.secretKeyRef` to be resolved and…

Product

go: github.com/kong/kubernetes-ingress-controller/v3 | go: github.com/kong/kubernetes-ingress-controller/v2 | go: github.com/kong/kubernetes-ingress-controller

What to do

General, cautious steps (verify details in the official source):

Review exposure and plan remediation based on risk and environment.
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

GitHub GitHub 2026-W21

Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload

2026-06-10 CVE-2026-48063

criticalGitHub GitHub 2026-W24

Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration

2026-06-10 CVE-2026-47751

mediumGitHub GitHub 2026-W24

image-size Denial of Service via Infinite Loop during Image Processing

2026-06-10 CVE-2025-71319

highGitHub GitHub 2026-W24