CVE-2026-28755

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.  

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5NGINX Open Source1.29.0 < 1.29.7affected
F5NGINX Open Source1.27.2 < 1.28.3affected
F5NGINX PlusR36 < R36 P3affected
F5NGINX PlusR35 < R35 P2affected
F5NGINX PlusR34 < *affected
F5NGINX PlusR33 < *affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References