CVE-2026-11311

EUVD-2026-37720

17.06.2026, 15:16

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
f5	CNA	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
f5	nginx_gateway_fabric	2.5.0 ≤ 𝑥 < 2.6.4	CNA

Common Weakness Enumeration

CWE-76 - Improper Neutralization of Equivalent Special Elements
The software properly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

References

https://my.f5.com/manage/s/article/K000161611