Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.



 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can exploit NGINX Plus or NGINX Open Source when the ssl_verify_client directive is set to "on" or "optional" and the ssl_ocsp directive is on or leaf parameters use a resolver. By sending specially crafted HTTPS requests, the attacker may trigger a heap‑use‑after‑free error in the NGINX worker process, which can result in limited modification of data or cause the worker process to restart, effectively creating a denial‑of‑service scenario.

Affected Systems

The vulnerability affects F5 NGINX Open Source and NGINX Plus installations that use the ngx_http_ssl_module with the conditions described above. No specific version numbers are provided, so all unpatched releases prior to the fix are potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The attack vector is inferred to be remote, via HTTPS requests, since the flaw is triggered by unauthenticated traffic to the SSL module.

Generated by OpenCVE AI on May 13, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NGINX to the latest supported version that contains the fix.
  • If upgrading is not immediately possible, reconfigure ssl_verify_client to "off" and disable ssl_ocsp or remove resolver directives from leaf parameters to avoid the vulnerable path.
  • Limit exposure by allowing only trusted clients to reach the affected SSL endpoints while monitoring for anomalous request patterns.

Generated by OpenCVE AI on May 13, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6278-1 nginx security update
History

Wed, 13 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_ssl_module vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:07:37.463Z

Reserved: 2026-04-30T23:04:27.950Z

Link: CVE-2026-40701

cve-icon Vulnrichment

Updated: 2026-05-13T16:07:32.802Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.863

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:00:05Z

Weaknesses