CVE-2026-28753

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5NGINX Open Source1.29.0 < 1.29.7affected
F5NGINX Open Source0.6.27 < 1.28.3affected
F5NGINX PlusR36 < R36 P3affected
F5NGINX PlusR35 < R35 P2affected
F5NGINX PlusR34 < *affected
F5NGINX PlusR33 < *affected
F5NGINX PlusR32 < R32 P5affected

Weaknesses

  • CWE-93: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References