Skip to main content

NGINX Plus and NGINX Open Source CVE-2026-40460

| EUVDEUVD-2026-29974 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-05-13 f5 GHSA-h7rq-f9gq-mc8r
6.9
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 16:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
May 13, 2026 - 16:01 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
MEDIUM 6.5

DescriptionCVE.org

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.

Technical ContextAI

The HTTP/3 protocol relies on QUIC (Quick UDP Internet Connection) as its underlying transport layer. NGINX's QUIC module handles HTTP/3 connections over UDP, but improperly validates source IP addresses during session establishment or packet processing. CWE-290 (Authentication using a Broken or Risky Cryptographic Algorithm) in this context manifests as insufficient source IP verification, allowing attackers to forge the origin address of HTTP/3 requests. This circumvents authorization policies and rate-limiting rules that depend on client IP identification. The vulnerability is specific to deployments where the HTTP/3 QUIC module is explicitly configured and enabled; default NGINX configurations without QUIC are unaffected.

RemediationAI

Apply the vendor-released patch from F5 advisory K000161068 (https://my.f5.com/manage/s/article/K000161068) to upgrade NGINX Plus or NGINX Open Source to a patched version. Organizations unable to immediately patch should consider disabling the HTTP/3 QUIC module in NGINX configuration (remove or comment out 'http3' and 'quic' directives in the main or server blocks) until patches can be deployed; this eliminates the attack surface while preserving HTTP/2 and HTTP/1.1 service. Implement additional IP-based access controls at network perimeter (firewall, WAF, reverse proxy) separate from NGINX's rate-limiting to provide defense-in-depth against source IP spoofing. Rate-limiting policies should also incorporate other identifiers (API keys, cookies, Host headers) rather than relying solely on client IP when QUIC is in use.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-40460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy