Skip to main content

NGINX Gateway Fabric CVE-2026-32682

HIGH
Improper Validation of Array Index (CWE-129)
2026-06-17 f5
7.1
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable Kubernetes API (AV:N), no special conditions (AC:L), requires RBAC rights on GRPCRoute resources (PR:L), no user interaction, availability-only impact on the control plane.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 18, 2026 - 03:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:44 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
Severity Changed
Jun 18, 2026 - 03:38 NVD
MEDIUM HIGH
CVSS changed
Jun 18, 2026 - 03:38 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 17, 2026 - 20:35 vuln.today

DescriptionCVE.org

When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRPCRoute resources to crash the control plane by submitting GRPCRoute objects containing malformed backendRef filters. The flaw, tracked under CWE-129 (Improper Validation of Array Index), carries a CVSS 4.0 score of 7.1 with pure availability impact and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain GRPCRoute write permission in target namespace
Delivery
Craft GRPCRoute with malicious backendRef filter
Exploit
Submit manifest via kubectl/API
Execution
Controller fails array-index validation (CWE-129)
Persist
Control plane process terminates
Impact
Gateway reconciliation halted cluster-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) NGINX Gateway Fabric deployed and actively reconciling GRPCRoute resources - clusters that only use HTTPRoute or TCPRoute are not exposed; (2) the attacker possessing Kubernetes RBAC permission to create, update, or patch gateway.networking.k8s.io/grpcroutes in at least one namespace watched by the gateway (PR:L in the CVSS vector); and (3) submission of a GRPCRoute whose backendRef block contains the undisclosed malformed filter pattern. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H accurately reflects the threat: network-reachable, low-complexity, but gated by PR:L because the attacker must already hold Kubernetes RBAC rights on GRPCRoute resources - a non-trivial precondition in a properly segmented cluster. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant developer or compromised service account that has been granted namespace-scoped permission to create GRPCRoute resources submits a manifest containing a crafted backendRef filter; the NGINX Gateway Fabric controller picks up the resource, fails to validate the filter structure, and terminates. Each restart immediately re-reads the offending resource and re-crashes, producing a sustained outage of Gateway API reconciliation until the malicious GRPCRoute is removed. …
Remediation Patch available per vendor advisory: upgrade NGINX Gateway Fabric to the fixed release identified in F5 article K000161786 (https://my.f5.com/manage/s/article/K000161786); the exact fix version is not enumerated in the available input and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all F5 NGINX Gateway Fabric deployments and document versions; restrict Kubernetes RBAC permissions for GRPCRoute resource creation/modification to principal administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy