INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
F5 Patches Critical NGINX Vulnerabilities
| 2026-06-18 17:32 CRITICAL MEDIUMExecutive Summary AI-generated
The recent discovery of two critical security vulnerabilities in NGINX Open Source and F5 products has raised significant concerns about the potential for exploitation by malicious actors. These flaws, identified as CVE-2026-42530 and CVSS v4 score 9.2, can be exploited to achieve code execution on affected systems. The vulnerabilities are linked to specific directives in configuration files, such as ignore_invalid_headers off directive or large_client_header_buffers size above 2 MB. F5 has released security updates to address these issues, but the timeline for widespread deployment is uncertain due to the complexity of mitigating these types of attacks.
Technical Mitigations AI-generated
* Disable HTTP/3: Disabling HTTP/3 can prevent remote code execution attacks, but it may also impact performance and compatibility with certain applications.
* Remove ignore_invalid_headers directive or reduce large_client_header_buffers size below 2 MB for CVE-2026-42055 vulnerabilities. This will help mitigate the risk of heap-based buffer overflow attacks.
* Use a secure configuration: Ensure that NGINX is configured to use secure protocols (e.g., HTTPS) and limit the number of open connections, which can reduce the attack surface.
* Keep software up-to-date: Regularly update F5 products and other dependencies to ensure you have the latest security patches and fixes.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-42945CVE-2026-42945
CVE-2026-42055CVE-2026-42055
CVE-2026-42530CVE-2026-42530
CVE-2026-50107CVE-2026-50107
CVE-2026-11311CVE-2026-11311
Target & Sectors
Global Scope
technologytechnology
Incident Timeline
August 2025
Threat actors exploited a previously unknown vulnerability in F5's NGINX open source software to gain access to the company's systems.
2026/05/19
Threat actors exploited a recently disclosed critical security defect in NGINX Plus and NGINX Open Source, allowing remote code execution.
Click on any entity below to view its context and source!
general_metric
9.2 vulnerabilities
As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (
CVE-2026-42945
, CVSS score: 9.2), also called NGINX Rift, came under
active exploitation
within days after public disclosure.
vulnerability
CVE-2026-42945
As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (
CVE-2026-42945
, CVSS score: 9.2), also called NGINX Rift, came under
active exploitation
within days after public disclosure.
organisation
NGINX Plus
As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (
CVE-2026-42945
, CVSS score: 9.2), also called NGINX Rift, came under
active exploitation
within days after public disclosure.
organisation
NGINX Rift
As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (
CVE-2026-42945
, CVSS score: 9.2), also called NGINX Rift, came under
active exploitation
within days after public disclosure.
Jun 18, 2026
The threat actors exploited a remote code execution vulnerability in NGINX Ingress Controller 5.0.0 - 5.5.0, which was patched by F5 as of version 37.0.2.1 and later versions.
Click on any entity below to view its context and source!
organisation
CVSS
The vulnerabilities are listed below -
CVE-2026-42530
(CVSS v4 score: 9.2) -
infrastructure
1.31.0
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
infrastructure
1.31.1
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
1.31.2
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
2.0.0
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
2.6.3
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
2.6.4
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
data_breach
2 MB
Gateway Fabric 1.3.0 - 1.6.2
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
As mitigations, F5 has outlined the following actions -
CVE-2026-42530 - Disable HTTP/3
CVE-2026-42055 - Remove the ignore_invalid_headers off directive from the configuration, or reduce the large_client_header_buffers directive size below 2 MB
Although F5 makes no mention of the vulnerabilities being exploited in the wild, security flaws in F5 products have been repeatedly exploited by bad actors.
A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
infrastructure
1.3.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
1.6.2
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
2.17.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
2.22.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.0.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.5.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.0.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.0.1
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
3.5.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
3.7.2
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
37.0.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
37.0.1
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
37.0.2
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
1.30.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
1.30.2
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
1.30.3
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.9.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.13.1
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.2.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
5.8.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.10.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.16.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.9.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.3.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
infrastructure
4.7.0
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
NGINX Instance
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
NGINX
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
CVE-2026-42055
-
NGINX Plus
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
NGINX Plus R33 - R36
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
NGINX Open Source 1.31.1
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
NGINX App Protect
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
organisation
ignore_invalid_headers
A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
organisation
QPACK
A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
organisation
Address Space Layout Randomization
A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
2026/06/18
F5 released emergency updates for critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) that could enable unauthenticated code execution.
Click on any entity below to view its context and source!
organisation
NGINX
F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution
F5 released emergency updates for critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) that could enable unauthenticated code execution.
F5 issues out-of-band patches for critical NGINX vulnerabilities.
organisation
DoS
The two critical vulnerabilities were found in the ngx_http_v3_module (
CVE-2026-42530
) and the ngx_http_proxy_v2_module and ngx_http_grpc_module (
CVE-2026-42055
), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations.
“This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution.
organisation
ignore_invalid_headers
Admins who can't immediately install the security updates can mitigate CVE-2026-42530 by disabling HTTP/3 (removing quic from all listen directives) and CVE-2026-42055 by removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size below 2 megabytes.
data_breach
2 MB
Admins who can't immediately install the security updates can mitigate CVE-2026-42530 by disabling HTTP/3 (removing quic from all listen directives) and CVE-2026-42055 by removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size below 2 megabytes.
organisation
CVE-2026
Admins who can't immediately install the security updates can mitigate CVE-2026-42530 by disabling HTTP/3 (removing quic from all listen directives) and CVE-2026-42055 by removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size below 2 megabytes.
organisation
NGINX Instance
"
F5 has released security fixes for multiple NGINX software products affected by these two vulnerabilities, including NGINX Plus and NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.
organisation
NGINX Plus
"
F5 has released security fixes for multiple NGINX software products affected by these two vulnerabilities, including NGINX Plus and NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.
F5 has released security updates for NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to fix the recently disclosed vulnerabilities.
organisation
NGINX Open Source
"
F5 has released security fixes for multiple NGINX software products affected by these two vulnerabilities, including NGINX Plus and NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.
Ravie Lakshmanan
Jun 18, 2026
Vulnerability / Cloud Security
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.
When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.
organisation
NGINX Gateway Fabric
F5 has released security updates for NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to fix the recently disclosed vulnerabilities.
The company also addressed two high-severity NGINX Gateway Fabric security flaws, tracked as
CVE-2026-11311
and
CVE-2026-50107,
that can be exploited by authenticated attackers to inject arbitrary NGINX configuration directives.
organisation
Vulnerability / Cloud Security
Ravie Lakshmanan
Jun 18, 2026
Vulnerability / Cloud Security
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.
organisation
QPACK
When HTTP/3 QUIC support is enabled, a remote unauthenticated attacker can exploit a specially crafted HTTP/3 session to reopen a QPACK encoder stream, causing memory corruption in the NGINX worker process.
organisation
Address Space Layout Randomization
Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
In both cases, they can also "execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking,
F5
)
organisation
ADN
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
victims
23,000 customers
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
victims
48 customers
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
data_breach
2
Mb
Click for context!
A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Gateway Fabric 1.3.0 - 1.6.2
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
As mitigations, F5 has outlined the following actions -
CVE-2026-42530 - Disable HTTP/3
CVE-2026-42055 - Remove the ignore_invalid_headers off directive from the configuration, or reduce the large_client_header_buffers directive size below 2 MB
Although F5 makes no mention of the vulnerabilities being exploited in the wild, security flaws in F5 products have been repeatedly exploited by bad actors.
Admins who can't immediately install the security updates can mitigate CVE-2026-42530 by disabling HTTP/3 (removing quic from all listen directives) and CVE-2026-42055 by removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size below 2 megabytes.
Metrics
infrastructure
1.31.0
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
Metrics
infrastructure
1.31.1
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.31.2
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
2.0.0
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
2.6.3
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
2.6.4
Software Version
Both shortcomings have been patched in the following versions -
CVE-2026-42530
-
NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2)
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.3.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.6.2
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
2.17.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
2.22.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.0.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.5.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.0.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.0.1
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
3.5.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
3.7.2
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
37.0.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
37.0.1
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
37.0.2
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.30.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.30.2
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
1.30.3
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.9.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.13.1
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.2.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
5.8.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.10.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.16.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.9.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.3.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
infrastructure
4.7.0
Software Version
NGINX Gateway Fabric 1.3.0 - 1.6.2
NGINX Instance Manager 2.17.0 - 2.22.0
NGINX Ingress Controller 5.0.0 - 5.5.0
NGINX Ingress Controller 4.0.0 - 4.0.1
NGINX Ingress Controller 3.5.0 - 3.7.2
CVE-2026-42055
-
NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1)
NGINX Plus R33 - R36 (Fixed in R36 P6)
NGINX Open Source 1.31.1 (Fixed in 1.31.2)
NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3)
NGINX Instance Manager 2.17.0 - 2.22.0
F5 WAF for NGINX 5.9.0 - 5.13.1
NGINX App Protect WAF 5.2.0 - 5.8.0
NGINX App Protect WAF 4.10.0 - 4.16.0
F5 DoS for NGINX 4.9.0
NGINX App Protect DoS 4.3.0 - 4.7.0
NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4)
NGINX
Metrics
victims
23,000
Customers
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
Metrics
victims
48
Customers
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
Intelligence Sources
The Hacker News
2026-06-18
Security Affairs
2026-06-18
BleepingComputer
2026-06-18
F5 issues out-of-band patches for critical NGINX vulnerabilities
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:26
Comprehensive Tactical Telemetry
Highly Correlated Entities
31x
infrastructure
Software Version
1.31.0
version
20x
organisation
Identified Entity
CVSS
entity
5x
vulnerability
Exploited CVE
CVE-2026-42530
cve
4x
timeline
Temporal Reference
Jun 18, 2026
date
3x
tactic
Cyber Operation Type
Remote Code Execution
tactic
3x
general metric
%
80
%
2x
general metric
Jun
18
jun
2x
victims
Customers
23,000
customers
Contextual Telemetry
Context Block
10 METRICS
general metric
Vulnerabilities
9
vulnerabilities
general metric
Directives
2
directives
data breach
Mb
2
mb
general metric
Nginx
42,530
nginx
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
vulnerability
CVSS Score
9
score
industry
Targeted Sector
Technology
sector
general metric
Technology
500
technology
general metric
Fortune
50
fortune
attribution
Attributing Entity
the U.S. Cybersecurity and Infrastructure Security Agency
authority
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.