CVE-2026-27651

Summary

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5NGINX Open Source1.29.0 < 1.29.7affected
F5NGINX Open Source0.5.15 < 1.28.3affected
F5NGINX PlusR36 < R36 P3affected
F5NGINX PlusR35 < R35 P2affected
F5NGINX PlusR34 < *affected
F5NGINX PlusR33 < *affected
F5NGINX PlusR32 < R32 P5affected

Weaknesses

  • CWE-476: CWE-476 NULL Pointer Dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

NGINX: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled

Additional References

References