Description
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the QUIC module of NGINX and allows an attacker to spoof the source IP address. This flaw can subvert authentication checks or bypass rate‑limiting controls, exposing the system to unauthorized actions or denial‑of‑service attacks. The weakness is an authorization failure (CWE‑290) and is rated a CVSS of 6.9.

Affected Systems

Products affected are F5’s NGINX Open Source and NGINX Plus. No specific affected version range is provided in the advisory, and only versions still under Technical Support are considered vulnerable.

Risk and Exploitability

With no EPSS score available the exact exploitation probability is uncertain, but the medium severity score of 6.9 indicates a meaningful risk. The attack vector is likely network‑based over QUIC, and the advisory notes that IP spoofing can bypass both authorization and rate limiting. The vulnerability is not listed in the CISA KEV catalog, but the potential for widespread misuse remains.

Generated by OpenCVE AI on May 13, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGINX to the latest supported release that contains the vendor fix for the QUIC module.
  • If an upgrade is not immediately possible, disable the QUIC module or remove it from the configuration to eliminate the spoofing surface.
  • Apply network‑level filtering to reject packets with spoofed source addresses and enforce strict IP allow‑lists.
  • Review and tighten authorization logic and rate‑limiting rules to guard against potential bypasses.

Generated by OpenCVE AI on May 13, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_quic_module vulnerability
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:06:43.631Z

Reserved: 2026-04-30T23:04:27.969Z

Link: CVE-2026-40460

cve-icon Vulnrichment

Updated: 2026-05-13T16:06:39.133Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:42.823

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T16:45:44Z

Weaknesses