CVE-2026-1642
EUVD-2026-549804.02.2026, 15:16
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| f5 | nginx_gateway_fabric | 1.2.0 ≤ 𝑥 ≤ 1.6.2 |
| f5 | nginx_gateway_fabric | 2.0.0 ≤ 𝑥 < 2.4.1 |
| f5 | nginx_ingress_controller | 3.4.0 ≤ 𝑥 ≤ 3.7.2 |
| f5 | nginx_ingress_controller | 4.0.0 ≤ 𝑥 ≤ 4.0.1 |
| f5 | nginx_ingress_controller | 5.0.0 ≤ 𝑥 < 5.3.3 |
| f5 | nginx_instance_manager | 2.15.1 ≤ 𝑥 ≤ 2.21.0 |
| f5 | nginx_open_source | 1.3.0 ≤ 𝑥 < 1.28.2 |
| f5 | nginx_open_source | 1.29.0 ≤ 𝑥 < 1.29.5 |
| f5 | nginx_plus | r33 ≤ 𝑥 < r35 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted DataThe software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
- CWE-345 - Insufficient Verification of Data AuthenticityThe software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Vulnerability Media Exposure