Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-3278-c88v-xrh4

Kong Ingress Controller for Kubernetes (KIC): Secret-backed plugin configurations leak through non-sensitive diagnostics endpoint

Also known asGO-2026-5010
Published
May 19, 2026
Updated
Jun 8, 2026
Affected
3 pkgs
Patched
1 / 3
Exploits
None indexed

Blast Radius

3 pkgs affected
🐹github.com/kong/kubernetes-ingress-controller/v3🐹github.com/kong/kubernetes-ingress-controller/v2🐹github.com/kong/kubernetes-ingress-controller

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using --dump-sensitive-config=false), KIC fails to sanitize the Plugins field in diagnostic configuration dumps. This causes secrets referenced via configFrom.secretKeyRef to be resolved and displayed in plaintext.

Because the diagnostics HTTP endpoints require no authentication, any process within the cluster network capable of reaching the KIC pod can exfiltrate sensitive data, including API keys, bearer tokens, and database passwords.

Am I affected?

You are affected if all of the following hold:

  1. You are using Kong Ingress Controller with diagnostics enabled (--dump-config=true).
  2. You have not explicitly enabled sensitive dumping (--dump-sensitive-config=false), creating an expectation of redaction.
  3. You use KongPlugin or KongClusterPlugin resources that reference Kubernetes Secrets via configFrom.secretKeyRef.
  4. The KIC diagnostics port (default 10256) is reachable by other workloads or users within your cluster.

You are not affected if:

  • The --dump-config flag is set to false (default behavior).
  • You do not use secret-backed configurations in your Kong plugins.
  • Access to the KIC pod's diagnostic port is strictly blocked by NetworkPolicies.

Mitigation

  1. Disable Diagnostics: If not actively debugging, disable the diagnostic server by setting --dump-config=false.
  2. Network Isolation: Implement a NetworkPolicy to restrict access to the KIC diagnostics port (default 10256), ensuring only authorized administrative pods or IPs can reach it.
  3. Restrict Port-Forwarding: Limit kubectl port-forward RBAC permissions to prevent unauthorized users from accessing the pod's local ports.

Fix

The fix introduces proper sanitization for the Plugins field within the configuration state. When sensitive dumping is disabled, the controller now replaces all plugin configuration values with a redaction placeholder before they are served via the diagnostics endpoints. Additionally, it is recommended to ensure your deployment environment follows the principle of least privilege regarding network access to controller components.

Users should upgrade to the latest patched version of Kong Ingress Controller to ensure diagnostic dumps are correctly redacted.

Affected Packages

3 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/kong/kubernetes-ingress-controller/v3all versions3.5.7
🐹Gogithub.com/kong/kubernetes-ingress-controller/v2all versionsNo fix
🐹Gogithub.com/kong/kubernetes-ingress-controllerall versionsNo fix

Detection & mitigation playbook

Open-source dependency
  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/kong/kubernetes-ingress-controller/v3. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/kong/kubernetes-ingress-controller/v3 to 3.5.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3278-c88v-xrh4 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-3278-c88v-xrh4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-3278-c88v-xrh4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using `--dump-sensitive-config=false`), KIC fails to sanitize the `Plugins` field in diagnostic configuration dumps. This causes secrets referenced via `configFrom.secretKeyRef` to be resolved and displayed in plaintext. Because the diagnostics HTTP endpoints require no authentication, any process within the cluster network capable of reaching the KIC pod can exfiltrate sen
O3 Security · Impact-Aware SCA

Is GHSA-3278-c88v-xrh4 in your dependencies?

O3 detects GHSA-3278-c88v-xrh4 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.