Skip to main content

NGINX Gateway Fabric CVE-2026-50107

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-17 f5
8.6
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

Requires Kubernetes RBAC over NginxProxy CRDs (PR:H), network-reachable API (AV:N/AC:L), and control-plane-to-data-plane crossing justifies S:C with high C/I and low availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 18, 2026 - 03:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
CVSS changed
Jun 18, 2026 - 03:38 NVD
8.1 (HIGH) 8.6 (HIGH)
Analysis Generated
Jun 17, 2026 - 20:32 vuln.today

DescriptionCVE.org

When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or modify NginxProxy Custom Resource Definitions to inject arbitrary NGINX directives into generated configuration files via the unsanitized access log format setting. The flaw resides in the control plane configuration generator and affects deployments using NGINX Plus or NGINX Open Source as the data plane. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Kubernetes credentials with NginxProxy CRD write rights
Delivery
Craft access log format with embedded NGINX directives
Exploit
Submit malicious NginxProxy CRD to Kubernetes API
Execution
Control plane renders unsanitized value into config template
Persist
Data plane NGINX loads injected directives
Impact
Redirect, mirror, or capture proxied traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a deployment of NGINX Gateway Fabric using NGINX Plus or NGINX Open Source as the data plane, (2) an authenticated Kubernetes identity holding RBAC permissions to create or modify NginxProxy Custom Resource Definitions (typically cluster-admin or a delegated operator role with verbs create/update/patch on nginxproxies.gateway.nginx.org), and (3) supply of a malicious string into the access log format setting of that CRD. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) reflects a network-reachable, low-complexity attack requiring low privileges and no user interaction, with high confidentiality and integrity loss but no availability impact and no scope change to subsequent systems - consistent with an in-cluster control-plane abuse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Kubernetes credentials with edit rights on NginxProxy CRDs - for example a compromised CI service account or a malicious namespace administrator - submits an NginxProxy resource whose accessLog.format field contains a crafted string that terminates the log_format directive and appends additional NGINX directives. When the Gateway Fabric control plane renders this into the data plane configuration, the injected directives (for example, additional server blocks, lua_package_path, or proxy_pass to attacker-controlled upstreams) are loaded by NGINX, enabling traffic interception, credential exfiltration via mirrored requests, or modification of routing behavior. …
Remediation Patch availability per vendor advisory: upgrade NGINX Gateway Fabric to the fixed release identified in F5 advisory K000161785 (https://my.f5.com/manage/s/article/K000161785); exact fix versions are not enumerated in the input data and must be taken from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory deployments of F5 NGINX Gateway Fabric and identify which teams have Kubernetes permissions to create/modify NginxProxy Custom Resource Definitions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy