NGINX Gateway Fabric
CVE-2026-32682
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable Kubernetes API (AV:N), no special conditions (AC:L), requires RBAC rights on GRPCRoute resources (PR:L), no user interaction, availability-only impact on the control plane.
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRPCRoute resources to crash the control plane by submitting GRPCRoute objects containing malformed backendRef filters. The flaw, tracked under CWE-129 (Improper Validation of Array Index), carries a CVSS 4.0 score of 7.1 with pure availability impact and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) NGINX Gateway Fabric deployed and actively reconciling GRPCRoute resources - clusters that only use HTTPRoute or TCPRoute are not exposed; (2) the attacker possessing Kubernetes RBAC permission to create, update, or patch gateway.networking.k8s.io/grpcroutes in at least one namespace watched by the gateway (PR:L in the CVSS vector); and (3) submission of a GRPCRoute whose backendRef block contains the undisclosed malformed filter pattern. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H accurately reflects the threat: network-reachable, low-complexity, but gated by PR:L because the attacker must already hold Kubernetes RBAC rights on GRPCRoute resources - a non-trivial precondition in a properly segmented cluster. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A tenant developer or compromised service account that has been granted namespace-scoped permission to create GRPCRoute resources submits a manifest containing a crafted backendRef filter; the NGINX Gateway Fabric controller picks up the resource, fails to validate the filter structure, and terminates. Each restart immediately re-reads the offending resource and re-crashes, producing a sustained outage of Gateway API reconciliation until the malicious GRPCRoute is removed. … |
| Remediation | Patch available per vendor advisory: upgrade NGINX Gateway Fabric to the fixed release identified in F5 article K000161786 (https://my.f5.com/manage/s/article/K000161786); the exact fix version is not enumerated in the available input and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all F5 NGINX Gateway Fabric deployments and document versions; restrict Kubernetes RBAC permissions for GRPCRoute resource creation/modification to principal administrators only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nginx Gateway Fabric
View allConfiguration injection in F5 NGINX Gateway Fabric lets an authenticated Kubernetes user who can create or modify NginxP
Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or
NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers t
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today