Description
When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The ngx_mail_auth_http_module flaw in NGINX Open Source and NGINX Plus causes worker processes to terminate upon receipt of certain undocumented requests, creating a denial‑of‑service condition for mail services. The weakness is a null pointer dereference (CWE‑476). When CRAM‑MD5 or APOP authentication is enabled, an authentication server that allows retries by returning an Auth‑Wait header can trigger this failure due to a bad request handling path inside the module.

Affected Systems

Affected versions include all releases of F5’s NGINX Open Source and NGINX Plus that support the ngx_mail_auth_http_module, specifically the r32, r35, and r36 series and their patch‑level variants (p1, p2, p3, p4, etc.). End‑of‑Support releases were not evaluated, but any unpatched configuration with the module enabled could be vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score is below 1 %, suggesting a low probability of current exploitation. The entry is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by sending crafted authentication requests when CRAM‑MD5 or APOP is active and the upstream server returns an Auth‑Wait response header. The attack vector would be remote, requiring network access to the mail server, and successful exploitation would force worker process termination, disrupting service availability.

Generated by OpenCVE AI on March 30, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported NGINX Plus or NGINX Open Source that includes the fix for ngx_mail_auth_http_module.
  • Disable or reconfigure CRAM‑MD5 and APOP authentication, or ensure the authentication server does not return the Auth‑Wait header.
  • If mail authentication is not required, remove or disable the ngx_mail_auth_http_module from the NGINX configuration as a temporary measure.
  • Restart NGINX after making changes and monitor worker processes for stability.

Generated by OpenCVE AI on March 30, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_mail_auth_http_module vulnerability
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-24T15:14:13.220Z

Reserved: 2026-03-18T16:06:38.454Z

Link: CVE-2026-27651

cve-icon Vulnrichment

Updated: 2026-03-24T15:14:09.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:32.910

Modified: 2026-03-30T14:02:05.790

Link: CVE-2026-27651

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T14:13:27Z

Links: CVE-2026-27651 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:08Z

Weaknesses