Skip to main content

Nginx CVE-2026-28753

| EUVDEUVD-2026-14885 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-03-24 f5 GHSA-ggr6-fmr8-2m8g
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
3.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14885
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 14:13 nvd
MEDIUM 6.3

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

NGINX Plus and NGINX Open Source contain an improper handling vulnerability in the ngx_mail_smtp_module that allows DNS response injection through malformed CRLF sequences. An attacker controlling a DNS server can inject arbitrary headers into SMTP upstream requests, potentially manipulating mail routing and message content. With a CVSS score of 3.7 and low attack complexity, this represents an integrity issue rather than a critical exploitability threat, though it requires network-level DNS control.

Technical ContextAI

The vulnerability exists in NGINX's mail SMTP module (ngx_mail_smtp_module), which processes DNS responses for mail server resolution. The root cause is CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers), indicating insufficient input validation or sanitization of carriage return and line feed characters in DNS response data. When NGINX parses DNS responses to resolve SMTP upstream hosts, it fails to properly strip or reject CRLF sequences, allowing an attacker-controlled DNS server to inject additional SMTP protocol commands or headers into the upstream request stream. This affects both NGINX Open Source (cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*) and NGINX Plus (cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*) across multiple versions. F5 has explicitly noted that End of Technical Support (EoTS) versions are not evaluated for this vulnerability.

RemediationAI

Consult the F5 security advisory at https://my.f5.com/manage/s/article/K000160367 to identify the patched version for your NGINX deployment (either Open Source or Plus) and upgrade to the latest available release. As a temporary mitigation, enforce DNSSEC validation to prevent DNS response injection, restrict DNS queries to trusted internal resolvers only, and implement network segmentation to limit DNS traffic from untrusted sources. If SMTP mail module functionality is not required, disable the ngx_mail_smtp_module at compile time. For environments that cannot immediately patch, apply reverse proxy hardening by validating SMTP responses before forwarding to upstream mail servers, though this may require custom module development.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-28753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy