Description
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-06-17
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When NGINX Plus is used as the data plane for F5 NGINX Gateway Fabric, the configuration generator component fails to sanitize user-supplied values from the NginxProxy Custom Resource Definition’s serverTokens field and the AuthenticationFilter Custom Resource Definition’s extraAuthArgs field. These values are rendered directly into NGINX configuration templates, allowing an authenticated attacker who can create or modify these CRDs to inject arbitrary NGINX configuration directives. The vulnerability is identified as CWE‑76 and can lead to unauthorized configuration changes that compromise the confidentiality, integrity, or availability of the data plane, potentially enabling remote code execution or malicious traffic routing.

Affected Systems

The affected environments are installations of F5 NGINX Gateway Fabric in which NGINX Plus functions as the data plane and the configuration generator component is active. The advisory does not list specific patch releases, so any version that still uses the unsanitized generator is considered vulnerable unless updated beyond end‑of‑technical‑support.

Risk and Exploitability

The CVSS score of 8.6 signals a high severity flaw, but the EPSS score of <1% indicates a low probability of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires an authenticated attacker with sufficient RBAC permissions to modify Custom Resource Definitions within the Kubernetes cluster, making the attack vector a control‑plane, authenticated scenario. Given the high potential impact but limited current exploitation likelihood, applying the definitive patch and tightening access controls is strongly recommended.

Generated by OpenCVE AI on June 18, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest NGINX Gateway Fabric release that includes input validation for the NginxProxy and AuthenticationFilter CRDs.
  • Restrict RBAC privileges so that only trusted administrators can create or modify the affected Custom Resource Definitions.
  • Ensure that the serverTokens and extraAuthArgs fields are set to safe default values or validate any user‑supplied input prior to deployment.

Generated by OpenCVE AI on June 18, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Gateway Fabric
Vendors & Products F5
F5 nginx Gateway Fabric

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX Gateway Fabric vulnerability
Weaknesses CWE-76
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

F5 Nginx Gateway Fabric
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-17T15:42:37.296Z

Reserved: 2026-06-04T18:01:54.825Z

Link: CVE-2026-11311

cve-icon Vulnrichment

Updated: 2026-06-17T15:42:32.938Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses
  • CWE-76

    Improper Neutralization of Equivalent Special Elements