CVE-2026-40460

Summary

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5NGINX PlusR37 < *unaffected
F5NGINX PlusR36 < R36 P4affected
F5NGINX PlusR32 < R32 P6affected
F5NGINX Open Source1.31.0 < *unaffected
F5NGINX Open Source1.26.0 < 1.30.1affected

Weaknesses

  • CWE-290: CWE-290 Authentication Bypass by Spoofing

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References