When NGINX Plus or NGINX Open Source is used as the data plane for F5 NGINX Gateway Fabric, user‑supplied access log format strings are injected directly into NGINX configuration templates without sanitisation. This allows an authenticated attacker with permission to create or modify the NginxProxy Custom Resource Definition to insert arbitrary NGINX directives, potentially changing logging behaviour, opening new listening sockets or enabling other misconfigurations. The flaw is a classic CWE‑74 injection and, while it does not expose data‑plane traffic outright, it grants control‑plane manipulation that can lead to denial of service or other adverse effects.

The vulnerability exists in F5 NGINX Gateway Fabric when it is configured to run NGINX Plus or the NGINX Open Source data plane. No specific product versions are listed, but any supported deployment that uses the configuration generator component is affected. End‑of‑service versions are not evaluated as per the advisory.

The CVSS score of 8.6 indicates high severity, yet the EPSS score of less than 1 % suggests a very low probability of exploitation in the wild at this time. The vulnerability is listed as not part of the CISA KEV catalog. Because the attack requires authenticated privileged access to the Kubernetes API to create or modify the NginxProxy CRD, an attacker must already have some level of control over the cluster. If achieved, the attacker can inject configuration directives that may compromise the control plane or lead to further attacks.