Security patch:

[MODERATE] GHSA-m23h-6mwm-39m8: Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation

GitHub Security Advisory·Security·SecurityFix·5/19/2026

## Summary A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the `GatewayClass` lacks an unmanaged annotation), the Gateway TLS translator skips critical

Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.

Who should care → Anyone running affected versions in production.

github.com/kong/kubernetes-ingress-controllerkubernetes

View original source ↗

Source payload preview

{
  "ghsaId": "GHSA-m23h-6mwm-39m8",
  "summary": "Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation",
  "severity": "MODERATE",
  "updatedAt": "2026-05-19T19:30:26Z",
  "references": [
    {
      "url": "https://github.com/Kong/kubernetes-ingress-controller/security/advisories/GHSA-m23h-6mwm-39m8"
    },
    {
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7920"
    },
    {
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7921"
    },
    {
      "url": "https://github.com/Kong/kubernetes-ingress-controller/pull/7922"
    },
    {
      "url": "https://github.com/advisories/GHSA-m23h-6mwm-39m8"
    }
  ],
  "de
…