Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SMTP header injection
Action: Patch Now
AI Analysis

Impact

The vulnerability originates in the ngx_mail_smtp_module, where improper handling of CRLF sequences in DNS responses allows an attacker-controlled DNS server to inject arbitrary SMTP headers into upstream requests. This can lead to manipulation of the SMTP command stream, including forged message headers or altered control flow, potentially enabling replay attacks, bypassing email authentication, or compromising email integrity. The weakness is classified under CWE‑93: Improper Handling of CRLF Sequences.

Affected Systems

This flaw affects F5 NGINX Open Source and all NGINX Plus releases from R32 through R36, covering multiple patch levels (p1, p2, p3, p4, etc.) as listed in the CPE data. Versions that have reached End of Technical Support are excluded from the CVE assessment.

Risk and Exploitability

The CVSS base score is 6.3, indicating medium severity. The EPSS value of less than 1 % and the lack of inclusion in the CISA KEV catalog suggest a low likelihood of widespread exploitation. Exploitation requires control over a DNS server that NGINX queries during SMTP processing, meaning the attack vector is network-based and limited to deployments using untrusted DNS resolvers. Successful exploitation would allow an attacker to alter SMTP traffic and potentially compromise email confidentiality and integrity.

Generated by OpenCVE AI on March 26, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor‑published patch for NGINX Open Source and NGINX Plus that fixes CRLF handling in ngx_mail_smtp_module.
  • If an upgrade cannot be performed immediately, disable the ngx_mail_smtp_module or configure NGINX to use a trusted DNS resolver to prevent malicious DNS responses.
  • Monitor SMTP traffic for unexpected headers and review logs for anomalous SMTP command sequences.
  • Verify that outbound DNS queries are made to a secure DNS provider and consider DNSSEC validation if supported.

Generated by OpenCVE AI on March 26, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_mail_proxy_module vulnerability
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-24T15:24:34.995Z

Reserved: 2026-03-18T16:06:38.435Z

Link: CVE-2026-28753

cve-icon Vulnrichment

Updated: 2026-03-24T15:24:31.847Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:33.560

Modified: 2026-03-26T21:15:24.053

Link: CVE-2026-28753

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-24T14:13:26Z

Links: CVE-2026-28753 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:02Z

Weaknesses