Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Buffer overflow in the DAV module that can crash the NGINX worker process or allow file name changes outside the document root
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the ngx_http_dav_module of NGINX Open Source and NGINX Plus, allowing a buffer overflow when the server processes HTTP MOVE or COPY requests that use a prefix‑location configuration and an alias directive; this can terminate the worker process or cause the process to write to or read from paths outside the document root. The affected worker runs with low privileges, so the integrity impact is limited to files within or directly adjacent to the web directory, but the denial of service through worker process crashes remains a significant risk.

Affected Systems

All installations of NGINX Open Source and all versions of NGINX Plus that enable the DAV module and process MOVE or COPY methods with alias directives are affected. No specific patch version numbers are listed in the advisory, so any NGINX version still supported should be examined for the vulnerable configuration.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity. The EPSS score is less than 1%, indicating that automated exploitation is currently rare, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Likely exploitation requires an attacker who can send crafted HTTP requests to the target, which makes the attack vector remote over the network. The combination of high severity and low exploitation probability places the overall risk in a moderate‑to‑high range for exposed servers.

Generated by OpenCVE AI on March 26, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGINX Open Source or NGINX Plus to the latest supported version
  • If the DAV module is not required, disable it entirely
  • For environments where DAV must remain enabled, restrict the use of MOVE and COPY methods and remove or secure alias directives
  • Actively monitor NGINX worker logs for abnormal restarts or unexpected file operations

Generated by OpenCVE AI on March 26, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_dav_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-24T15:15:00.495Z

Reserved: 2026-03-18T16:06:38.448Z

Link: CVE-2026-27654

cve-icon Vulnrichment

Updated: 2026-03-24T15:14:56.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:33.130

Modified: 2026-03-26T21:16:16.737

Link: CVE-2026-27654

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T14:13:26Z

Links: CVE-2026-27654 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:00Z

Weaknesses