Description
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-02-04
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Plain Text Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates in NGINX proxy logic that processes TLS upstream connections. When an attacker can sit in a man‑in‑the‑middle position on the upstream TLS server side, the proxy may mistakenly incorporate plain text data from the upstream server into the HTTP response that it forwards to downstream clients. This results in content tampering or unintended data disclosure, but does not grant the attacker code execution or broader system compromise. The flaw is classified as CWE‑345 and CWE‑349.

Affected Systems

Affected products include F5’s NGINX Open Source distribution and all supported releases of F5 NGINX Plus that contain TLS proxy functionality, ranging from r32 to r36 as enumerated in the CPE list. End‑of‑support versions have not been evaluated for this issue.

Risk and Exploitability

The CVSS score of 8.2 marks the flaw as high severity, while an EPSS score of less than 1 % indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires an attacker to control the upstream TLS endpoint or otherwise achieve a MITM position, under conditions that are not trivially achievable.

Generated by OpenCVE AI on April 18, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched release of NGINX OSS or NGINX Plus that fixes the TLS proxy injection flaw.
  • Configure NGINX to validate upstream server certificates and enforce strict hostname verification, reducing the risk of a MITM attacker injecting data.
  • Restrict proxy_pass directives to trusted, verified upstream endpoints and disable overly permissive proxy settings that could allow injection.
  • Where possible, isolate upstream TLS services from the NGINX host or apply network segmentation to limit exposure to potential MITM actors.

Generated by OpenCVE AI on April 18, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6131-1 nginx security update
History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared F5 nginx Gateway Fabric
F5 nginx Ingress Controller
F5 nginx Instance Manager
Weaknesses CWE-345
CPEs cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
Vendors & Products F5 nginx Gateway Fabric
F5 nginx Ingress Controller
F5 nginx Instance Manager

Thu, 05 Feb 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX vulnerability
Weaknesses CWE-349
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Gateway Fabric Nginx Ingress Controller Nginx Instance Manager Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-02-05T05:25:39.303Z

Reserved: 2026-01-29T18:26:26.996Z

Link: CVE-2026-1642

cve-icon Vulnrichment

Updated: 2026-02-05T05:25:39.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T15:16:14.190

Modified: 2026-02-13T21:35:01.730

Link: CVE-2026-1642

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T15:02:06Z

Links: CVE-2026-1642 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses