Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.  


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: TLS handshake bypass with revoked certificates
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the ngx_stream_ssl_module of NGINX, where an improper handling of revoked certificates leads to the server accepting a TLS handshake even when an OCSP check reports the certificate as revoked. This flaw enables connections that bypass standard revocation validation, potentially allowing attackers to establish secure communications with compromised or stolen certificates, undermining the trust model of TLS and facilitating unauthorized data exchange. The weakness corresponds to CWE‑295 and CWE‑863.

Affected Systems

Both F5's NGINX Open Source and NGINX Plus products are affected. No specific version numbers are listed, so this applies to all builds that include the ngx_stream_ssl_module configured with ssl_verify_client and ssl_ocsp directives.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate risk. The EPSS score is below 1 %, suggesting that exploitation is currently uncommon. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread exploitation. An attacker would need to target a client or server configured to enforce client certificate verification and OCSP checking, then supply a revoked certificate to establish a TLS session that the server mistakenly accepts. Given the remote nature of the weakness, mitigation should be prioritized to protect any services that use mutual TLS or server-side certificate verification.

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor‑supplied patch or upgrade to the latest NGINX version that contains the fix for the ngx_stream_ssl_module.
  • As a temporary workaround, disable ssl_verify_client and/or ssl_ocsp directives on the affected server until a patched version is installed.
  • Verify that any remaining deployments are properly configured to reject revoked certificates and that OCSP responses are validated correctly.

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module due to the improper handling of revoked certificates when configured with ssl_verify_client on and ssl_ocsp on, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module due to the improper handling of revoked certificates when configured with ssl_verify_client on and ssl_ocsp on, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_stream_ssl_module vulnerability
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-24T15:24:16.108Z

Reserved: 2026-03-18T16:06:38.442Z

Link: CVE-2026-28755

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:33.773

Modified: 2026-03-26T14:09:37.177

Link: CVE-2026-28755

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T14:13:26Z

Links: CVE-2026-28755 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:01Z

Weaknesses