ingress-nginx Is Dead: How I Migrated to Gateway API Before It Became a Liability

ingress-nginx was archived on March 24, 2026 after a string of critical CVEs including a 9.8 CVSS unauthenticated RCE. Gateway API v1.4 is the CNCF-graduated replacement. I used ingress2gateway 1.0 to convert 40+ Ingress resources to HTTPRoutes, validated the output, and cut over with zero downtime. Here's exactly how I did it. Why This Happened In March 2025, CVE-2025-1974 (dubbed "IngressNightmare") dropped: a CVSS 9.8 unauthenticated remote code execution vulnerability in ingress-nginx's admission webhook. Any attacker with network access to the webhook could execute arbitrary code inside the controller pod, which typically has broad cluster permissions. That was bad enough on its own. Then came 2026. Four more HIGH-severity CVEs landed in quick succession: CVE Severity What It Does CVE-2025-1974 CRITICAL 9.8 Unauthenticated RCE via admission webhook CVE-2026-1580 HIGH Config injection leading to privilege escalation CVE-2026-24512 HIGH Path injection through nginx config manipulati