Description
A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module can cause uncontrolled memory allocation or an over-read of data. An unauthenticated attacker capable of performing a man‑in‑the‑middle attack on the upstream server can send crafted responses that lead to an excessive memory request or read beyond the intended buffer, thereby allowing the attacker to read sensitive memory or trigger a worker process restart. The weakness is represented by CWE‑789 and CWE‑823.

Affected Systems

Both NGINX Open Source and NGINX Plus are affected. No specific version numbers are listed in the advisory; therefore any NGINX build that includes these modules and has not been discontinued by end‑of‑technical‑support is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. While EPSS data is not available, the lack of KEV listing suggests no known widespread exploitation yet. The likely attack vector requires an attacker to control upstream responses, typically via a compromised or malicious upstream service, which can be achieved through network or supply‑chain controls. Once the exploit is exercised, the attacker could read the worker process memory or force a restart, impacting confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 13, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest NGINX patch or upgrade to a version that addresses the scgi/uwsgi module memory allocation flaw.
  • Remove or limit the use of scgi_pass and uwsgi_pass directives, or restrict them to trusted upstream servers.
  • Enforce secure transport (TLS) for upstream connections to prevent man‑in‑the‑middle manipulation of responses.
  • Enable monitoring for abnormal memory usage or worker process restarts to detect exploitation attempts.

Generated by OpenCVE AI on May 13, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
Weaknesses CWE-789
CWE-823
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:06:56.898Z

Reserved: 2026-04-30T23:04:27.965Z

Link: CVE-2026-42946

cve-icon Vulnrichment

Updated: 2026-05-13T16:06:52.430Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:50.340

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:45:25Z

Weaknesses