Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 8.8 High
EPSS: 7.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the ngx_http_dav_module of NGINX Open Source and NGINX Plus, allowing a buffer overflow120, CWE-122) when the server processes HTTP MOVE or COPY requests that use a prefix-location configuration and an alias directive. This can cause the worker process to terminate or to access paths outside the document root. The worker runs with low privileges, so the ability to compromise the system as a whole is limited to files within or adjacent to the web directory, but the opportunity to disrupt service via a crash remains substantial.

Affected Systems

All installations of NGINX Open Source and all versions of NGINX Plus that enable the DAV module and process MOVE or COPY methods with alias directives are affected. The advisory does not list specific patch versions, so any supported NGINX release that be vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this issue as high severity, and the EPSS score of 8% indicates a relatively high probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing specially crafted HTTP MOVE or COPY requests; this inference is drawn from the description of the vulnerable configuration and the nature of web server interactions.

Generated by OpenCVE AI on June 24, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported NGINX Open Source or NGINX Plus
  • If the DAV is enabled, eliminate MOVE and COPY method handling or remove alias directives for requests that use the DAV module
  • Monitor NGINX worker logs for abnormal restarts or unexpected file access patterns

Generated by OpenCVE AI on June 24, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4589-1 nginx security update
Ubuntu USN Ubuntu USN USN-8375-1 nginx vulnerabilities
History

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_dav_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-24T15:15:00.495Z

Reserved: 2026-03-18T16:06:38.448Z

Link: CVE-2026-27654

cve-icon Vulnrichment

Updated: 2026-03-24T15:14:56.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:33.130

Modified: 2026-06-17T10:27:28.187

Link: CVE-2026-27654

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T14:13:26Z

Links: CVE-2026-27654 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-122

    Heap-based Buffer Overflow