Ingress NGINX is so popular it’s used in half of all cloud native environments. However, the tool for directing network traffic to Kubernetes workloads has reached the end of its useful life.
As of March 2026, it’s being officially retired: not only no new releases but no bug fixes, no CNCF bug bounty – and no security updates for a project the Kubernetes security SIG co-chair Tabitha Sable once described as “a never-ending CVE piñata.”
“You're taking a risk by continuing to run this after March,” Ingress NGINX maintainer James Strong puts it bluntly and the project site makes it explicit: if you’re not already using it, you shouldn’t be deploying it.
Existing deployments, Helm charts, and container images will keep working and traffic will still get routed in millions of clusters – which is part of the problem. “Unless you proactively check to see whether or not you are affected and start migrating, you aren't going to know you’re affected until you're compromised,” warns Kubernetes Steering Committee member Kat Cosgrove.
Another major CVE in the project was discovered and patched just last month. It won’t be the last one found, but as of March there will be no more patches from the open-source maintainers.
“You can’t just ignore this; you have to check and start doing something about it now,” Cosgrove says. “We don't know how long it's going to take for somebody to drop an RCE or something nasty like that for the last release. It could be months, it could be days.”
