Skip to main content

Nginx CVE-2026-26061

| EUVDEUVD-2026-16744 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-27 https://github.com/fleetdm/fleet GHSA-99hj-44vg-hfcp
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 18:30 euvd
EUVD-2026-16744
Analysis Generated
Mar 27, 2026 - 18:30 vuln.today
CVE Published
Mar 27, 2026 - 18:17 nvd
HIGH 8.7

DescriptionGitHub Advisory

Summary

Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service (DoS) condition.

Impact

An unauthenticated attacker could cause the Fleet server process to exhaust available memory and restart by sending oversized or repeated HTTP requests to affected endpoints.

This vulnerability impacts availability only. There is:

  • No exposure of sensitive data
  • No authentication bypass
  • No privilege escalation
  • No integrity impact

Workarounds

If upgrading immediately is not possible, the following mitigations can reduce exposure:

  • Apply request body size limits at a reverse proxy or load balancer (e.g., NGINX, Envoy).
  • Restrict network access to endpoints to known IP ranges where feasible.
  • Monitor memory usage and restart frequency for abnormal patterns.

For More Information

If there are any questions or concerns about this advisory, please contact us at:

Email Fleet at [security@fleetdm.com](mailto:security@fleetdm.com)

Credits

Fleet thanks @fuzzztf for responsibly reporting this issue.

AnalysisAI

Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.

Technical ContextAI

This vulnerability is rooted in CWE-770 (Allocation of Resources Without Limits or Throttling), affecting the Fleet device management platform written in Go. The affected product is identified via CPE as pkg:go/github.com_fleetdm_fleet_v4. The flaw exists in multiple HTTP request handlers that fail to enforce maximum body size limits when processing incoming requests. Without proper resource controls, the Go HTTP server allocates memory proportional to request size, allowing an attacker to consume heap space until the process crashes or is terminated by the operating system. This class of vulnerability is particularly common in Go web applications that use io.ReadAll or similar unbounded readers on request bodies without implementing middleware-level size restrictions or per-handler validation.

RemediationAI

Upgrade Fleet to the patched version specified in the vendor security advisory at https://github.com/fleetdm/fleet/security/advisories/GHSA-99hj-44vg-hfcp (exact version number not provided in available intelligence). Until patching is possible, implement request body size limits at a reverse proxy or load balancer layer using NGINX, Envoy, or similar with configurations such as client_max_body_size in NGINX. Restrict network access to Fleet endpoints to known IP ranges using firewall rules or network segmentation where operationally feasible. Monitor Fleet server memory usage and process restart frequency for abnormal patterns indicating exploitation attempts. For questions or incident response assistance, contact Fleet security team at security@fleetdm.com as noted in the advisory.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-26061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy