CVE-2026-1642

Summary

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5NGINX Open Source1.3.0 < 1.29.5affected
F5NGINX PlusR36 < R36 P2affected
F5NGINX PlusR35 < R35 P1affected
F5NGINX PlusR34 < *affected
F5NGINX PlusR33 < *affected
F5NGINX PlusR32 < R32 P4affected

Weaknesses

  • CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References