NGINX Gateway Fabric
CVE-2026-50107
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires Kubernetes RBAC over NginxProxy CRDs (PR:H), network-reachable API (AV:N/AC:L), and control-plane-to-data-plane crossing justifies S:C with high C/I and low availability impact.
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Articles & Coverage 1
AnalysisAI
Configuration injection in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with permission to create or modify NginxProxy Custom Resource Definitions to inject arbitrary NGINX directives into generated configuration files via the unsanitized access log format setting. The flaw resides in the control plane configuration generator and affects deployments using NGINX Plus or NGINX Open Source as the data plane. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a deployment of NGINX Gateway Fabric using NGINX Plus or NGINX Open Source as the data plane, (2) an authenticated Kubernetes identity holding RBAC permissions to create or modify NginxProxy Custom Resource Definitions (typically cluster-admin or a delegated operator role with verbs create/update/patch on nginxproxies.gateway.nginx.org), and (3) supply of a malicious string into the access log format setting of that CRD. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) reflects a network-reachable, low-complexity attack requiring low privileges and no user interaction, with high confidentiality and integrity loss but no availability impact and no scope change to subsequent systems - consistent with an in-cluster control-plane abuse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Kubernetes credentials with edit rights on NginxProxy CRDs - for example a compromised CI service account or a malicious namespace administrator - submits an NginxProxy resource whose accessLog.format field contains a crafted string that terminates the log_format directive and appends additional NGINX directives. When the Gateway Fabric control plane renders this into the data plane configuration, the injected directives (for example, additional server blocks, lua_package_path, or proxy_pass to attacker-controlled upstreams) are loaded by NGINX, enabling traffic interception, credential exfiltration via mirrored requests, or modification of routing behavior. … |
| Remediation | Patch availability per vendor advisory: upgrade NGINX Gateway Fabric to the fixed release identified in F5 advisory K000161785 (https://my.f5.com/manage/s/article/K000161785); exact fix versions are not enumerated in the input data and must be taken from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory deployments of F5 NGINX Gateway Fabric and identify which teams have Kubernetes permissions to create/modify NginxProxy Custom Resource Definitions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nginx Gateway Fabric
View allConfiguration injection in F5 NGINX Gateway Fabric lets an authenticated Kubernetes user who can create or modify NginxP
Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRP
NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers t
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today