Skip to main content

NGINX Agent CVE-2026-60062

| EUVDEUVD-2026-44682 MEDIUM
Path Traversal (CWE-22)
2026-07-15 f5 GHSA-66rh-w67w-7426
5.3
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-reachable with low-privilege authentication required; limited confidentiality and integrity impact with no availability concern and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 15:31 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
6.4 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

The NGINX Agent config_dirs directive allows a low-privileged attacker to gain limited read and write access to files outside of the designated secure directory. The config_dirs directive required for this issue can also be configured through NGINX Instance Manager. A successful exploit may allow an attacker to cross a security boundary.

Impact: A remotely authenticated low-privileged attacker could gain limited read and write access outside of the list of directories specified in the NGINX Agent configuration.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged agent credentials
Delivery
Submit crafted config_dirs value with path traversal sequences
Exploit
Agent processes directive without path canonicalization
Execution
Read or write files outside secure directory boundary
Impact
Access sensitive configuration or credential files

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the attacker holds low-privileged authentication to the NGINX Agent or NGINX Instance Manager (confirmed by CVSS PR:L); (2) the config_dirs directive is configurable by the attacker's privilege level - either directly through agent configuration or via NGINX Instance Manager. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) reflects a realistic threat profile: network-reachable (AV:N), low complexity (AC:L), no attack prerequisites (AT:N), but requiring low-privilege authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged credentials to an NGINX Agent deployment - such as a service account or a compromised application user with agent API access - submits a crafted config_dirs value containing path traversal sequences. The agent processes the malformed directive without proper canonicalization and grants the attacker limited read/write access to files outside the configured secure directories, potentially exposing NGINX configuration files, TLS certificates, or other files accessible to the agent process.
Remediation A patch is available from F5 per vendor advisory K000161971 (https://my.f5.com/manage/s/article/K000161971); the exact fixed version number was not included in the available input data and should be confirmed directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy