Regulatory Triage ICT Providers

F5

Network & Security

Period: 7d 14d 30d 90d
6
Open CVEs
0
Exploited
0
KEV
2
Unpatched
0
No Workaround
4
Internet-facing

Why this provider is risky now

This provider has 6 open CVE(s) in the last 14 days. 2 have no vendor patch. 4 affect internet-facing services. 1 impact the management/identity plane.

2 Unpatched 1 Mgmt / Admin Plane 4 Internet-facing

Top Risky CVEs

CVE-2026-34457
Act Now
Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.
Within 24 hours: Identify all deployments of OAuth2 Proxy and determine which instances use nginx auth_request with health check features (--ping-user-agent or --gcp-healthchecks flags enabled). Within 7 days: Upgrade all affected OAuth2 Proxy instances to version 7.15.2 or later. Within 30 days: Conduct access log review for the past 90 days to identify any suspicious health check User-Agent patterns that may indicate exploitation attempts.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
9.1
CVSS
0.1%
EPSS
46
Priority
CVE-2026-40575
Act Now
### Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: * OAuth2 Proxy is configured with `--reverse-proxy` *
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
9.1
CVSS
46
Priority
CVE-2026-40487
This Week
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.
Within 24 hours: Identify all Postiz deployments and confirm current version numbers. Within 7 days: Upgrade all Postiz instances to version 2.21.6 or later per vendor patch release. Verify patch deployment across all affected systems. Within 30 days: Conduct audit of file upload logs since deployment to identify any suspicious uploads with mismatched Content-Type headers; reset session tokens for all users as a precautionary measure.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • Third-party ICT: F5
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
8.9
CVSS
0.0%
EPSS
45
Priority
CVE-2026-5501
This Week
Unpatched
Certificate chain validation bypass in wolfSSL's OpenSSL compatibility layer allows authenticated network attackers to forge arbitrary certificates. Attackers possessing any legitimate leaf certificate from a trusted CA can craft fraudulent certificates for any subject name with arbitrary keys, bypassing signature verification when an untrusted CA:FALSE intermediate is inserted. Affects nginx and haproxy integrations using wolfSSL's OpenSSL compatibility API; native wolfSSL TLS handshake (ProcessPeerCerts) not vulnerable. No public exploit identified at time of analysis.
Within 24 hours: inventory all nginx and HAProxy instances using wolfSSL instead of OpenSSL; verify wolfSSL version and OpenSSL compatibility layer status in production via 'strings' or version inspection. Within 7 days: contact wolfSSL (Linuxppc/stm32) for patch timeline and interim guidance; implement network segmentation to restrict certificate-issuing traffic if feasible. Within 30 days: deploy vendor-released patch immediately upon availability; as interim measure, migrate affected nginx/HAProxy instances to native OpenSSL if operationally feasible to eliminate OpenSSL compatibility layer dependency.
ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: F5
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
  • No remediation available
8.6
CVSS
0.0%
EPSS
43
Priority
CVE-2026-35568
This Week
DNS rebinding in Model Context Protocol (MCP) Java SDK before v1.0.0 enables remote attackers to invoke arbitrary tool calls on local or network-private MCP servers via a victim's browser. The SDK failed to validate Origin headers per MCP specification requirements, violating mandatory server-side protections against cross-origin attacks. Exploitation requires social engineering (victim visits malicious site), but grants full tool invocation privileges as if the attacker were a locally authorized AI agent. Patch available in v1.0.0. No public exploit identified at time of analysis, but attack technique is well-understood (DNS rebinding). EPSS data not available; authentication requirements not confirmed from available data.
Within 24 hours: Inventory all applications and services using MCP Java SDK and identify current versions deployed. Within 7 days: Upgrade MCP Java SDK to version v1.0.0 or later across all affected systems. Within 30 days: Conduct security review of MCP server deployments to ensure Origin header validation is properly enforced; implement additional network segmentation to restrict access to MCP servers from untrusted networks.
ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: F5
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
7.6
CVSS
0.0%
EPSS
38
Priority
CVE-2026-40870
This Week
Unpatched
Decidim GraphQL API exposes all commentable resources platform-wide without permission checks, enabling unauthorized access to comments and associated data across public and private participation spaces. Affects decidim-api and decidim-comments Ruby gems with default configurations exposing the /api endpoint publicly. No vendor patch available - only workarounds via authentication enforcement or IP allowlisting. CVSS 7.5 (High) reflects network-accessible confidentiality breach, though real-world impact depends heavily on whether the Decidim instance hosts non-public participation spaces.
Within 24 hours: Identify all Decidim instances in your environment and determine which host non-public participation spaces; document data sensitivity levels. Within 7 days: Implement IP allowlisting or network segmentation to restrict /api endpoint access to trusted networks only, or enforce API authentication via reverse proxy/WAF rules; test that legitimate API consumers remain functional. Within 30 days: Contact Decidim maintainers for patch timeline; evaluate whether instance can be reconfigured to public-only participation or if migration to patched version is feasible; maintain blocklist rules pending vendor remediation.
Edge exposure ICT dependency No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • No patch available
  • Management plane (Missing Authorization)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
  • No remediation available
  • Authentication / access control weakness
7.5
CVSS
38
Priority

By Exposure

Internet-facing
4
Mgmt / Admin Plane
1
Identity / Auth
1
Internal only
2

By Exploitability

Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
4
Local only
0

By Remediation

Patch available
4
No patch
2
Workaround available
5
No workaround
0

Affected Services / Product Families

Nginx
6 CVE(s)
CVE-2026-35568 HIGH Patched
CVE-2026-5501 HIGH Unpatched
CVE-2026-34457 CRITICAL Patched
CVE-2026-40575 CRITICAL Patched
CVE-2026-40870 HIGH Unpatched
CVE-2026-40487 HIGH Patched

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy