Description
When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Under CWE‑172, when NGINX Open Source is configured to proxy HTTP/2 traffic (proxy_http_version set to 2) and proxy_set_body is used, an attacker can inject custom frame headers and payload bytes into the upstream connection. This allows the attacker to alter the content or headers sent to upstream services, potentially injecting malicious data or modifying request semantics. The flaw does not directly expose a remote code execution path, but it can compromise the integrity of proxied requests and enable downstream services to process manipulated data.

Affected Systems

The vulnerability affects F5:NGINX Open Source deployments that use the ngx_http_proxy_v2_module with HTTP/2 enabled. Specific affected version information is not listed in the CNA data; however, any installation configured with proxy_http_version 2 and proxy_set_body may be at risk, and versions no longer receiving support have not been evaluated.

Risk and Exploitability

The CVSS base score of 6.3 indicates a moderate risk, and the EPSS score is not available, suggesting unclear current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network based, requiring an attacker to send crafted HTTP/2 frames to the proxying endpoint. Successful exploitation would necessitate misconfiguration of the proxy module and does not require elevated privileges or local access.

Generated by OpenCVE AI on May 13, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported release of NGINX Open Source where this issue is fixed.
  • If an upgrade is not immediately possible, disable proxy_http_version 2 or remove proxy_set_body from the configuration to revert to HTTP/1.1 behavior.
  • Employ network segmentation or firewall rules to limit inbound access to the proxying endpoint, reducing the opportunity for an attacker to interact with the vulnerable configuration.

Generated by OpenCVE AI on May 13, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
Vendors & Products F5
F5 nginx Open Source

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_proxy_v2_module vulnerability
Weaknesses CWE-172
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

F5 Nginx Open Source
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:16:54.456Z

Reserved: 2026-05-05T21:19:09.531Z

Link: CVE-2026-42926

cve-icon Vulnrichment

Updated: 2026-05-13T16:06:25.462Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:49.640

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:45:25Z

Weaknesses