Main Vulnerability Database Vulnerabilities #VU122335

Acceptance of extraneous untrusted data with trusted data in nginx and NGINX Plus - CVE-2026-1642

Published: February 5, 2026

Vulnerability identifier: #VU122335

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:U/U:Green

CVE-ID: CVE-2026-1642

CWE-ID: CWE-349

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: F5 Networks

Affected software:
nginx
NGINX Plus

Detailed vulnerability description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect handling of trusted and untrusted data when configured to proxy to upstream Transport Layer Security (TLS) servers. A remote unauthenticated attacker with an MITM position on the upstream server side can inject plain text data into the responses from an upstream proxied server and send them to clients.

How to mitigate CVE-2026-1642

Install updates from vendor's website.

Sources

https://my.f5.com/manage/s/article/K000159824

Acceptance of extraneous untrusted data with trusted data in nginx and NGINX Plus - CVE-2026-1642

Detailed vulnerability description

How to mitigate CVE-2026-1642

Sources

Please verify you're human