CVE-2026-1642
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| F5 | NGINX Open Source | 1.3.0 < 1.29.5 | affected |
| F5 | NGINX Plus | R36 < R36 P2 | affected |
| F5 | NGINX Plus | R35 < R35 P1 | affected |
| F5 | NGINX Plus | R34 < * | affected |
| F5 | NGINX Plus | R33 < * | affected |
| F5 | NGINX Plus | R32 < R32 P4 | affected |
Weaknesses
- CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.