DNA View

CVE-2026-1642

Medium

Low Medium High Critical

5.9

CVSS Score

Published: Feb 04, 2026

Last Modified: Feb 13, 2026

CWE: CWE-349

Vulnerability Description

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

21 configuration(s) from 1 vendor(s)

nginx_plus

Version:

r32

CPE:

cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*

nginx_plus

Version:

r33

CPE:

cpe:2.3:a:f5:nginx_plus:r33:-:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.7.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.7.0:*:*:*:*:*:*:*

nginx_plus

Version:

r35

CPE:

cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.5.2

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.5.2:*:*:*:*:*:*:*

nginx_plus

Version:

r34

CPE:

cpe:2.3:a:f5:nginx_plus:r34:-:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.5.1

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.5.1:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.4.2

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.4.2:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.6.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.6.0:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

5.3.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:5.3.0:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.6.2

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.6.2:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.4.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.4.0:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.4.3

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.4.3:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

4.0.1

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:4.0.1:*:*:*:*:*:*:*

nginx_plus

Version:

r36

CPE:

cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.4.1

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.4.1:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.5.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.5.0:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.6.1

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.6.1:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.7.2

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.7.2:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

4.0.0

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:4.0.0:*:*:*:*:*:*:*

nginx_ingress_controller

Version:

3.7.1

CPE:

cpe:2.3:a:f5:nginx_ingress_controller:3.7.1:*:*:*:*:*:*:*

This vulnerability affects 21 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

3 patches available from vendors

View All Patches

Oracle

CPUAPR2026

Oracle Critical Patch Update Advisory - April 2026

Severity

Critical

Released

Apr 21, 2026

Restart Required

Security Update

View Details Vendor Page

SUSE

CVE-2026-1642

Severity

Unknown

Released

Mar 05, 2026

Security Update

View Details Vendor Page

Canonical (Ubuntu)

USN-8038-1

USN-8038-1: nginx vulnerability

Severity

Unknown

Released

Feb 12, 2026

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

5.9

out of 10.0

Medium

Weakness Type (CWE)

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

Description: The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Typical Severity: Medium
Abstraction Level: Base