Skip to main content

NGINX Plus CVE-2026-60065

| EUVDEUVD-2026-44685 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-15 f5 GHSA-w94h-5qpm-994v
6.3
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
6.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable with no auth needed, but AC:H reflects AT:P partial-control constraint; availability-only low impact from worker restart, no scope change.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jul 15, 2026 - 15:33 vuln.today
Severity Changed
Jul 15, 2026 - 15:22 NVD
LOW MEDIUM
CVSS changed
Jul 15, 2026 - 15:22 NVD
3.7 (LOW) 6.3 (MEDIUM)
CVE Published
Jul 15, 2026 - 14:33 cve.org
MEDIUM 6.3

DescriptionCVE.org

When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart.

Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify NGINX Plus instance with MQTT filter enabled
Delivery
Send crafted MQTT message to stream listener
Exploit
Satisfy partial runtime conditions for over-read
Execution
Trigger heap buffer over-read in worker process
Impact
Worker process crashes and master respawns it

Vulnerability AssessmentAI

Exploitation Exploitation requires NGINX Plus to be explicitly configured with the ngx_stream_mqtt_filter_module in a stream block - this is a non-default, operator opt-in configuration absent from standard NGINX Plus deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 6.3 reflects a moderate, availability-only risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who has network access to an NGINX Plus instance with the MQTT filter module enabled sends a specially crafted MQTT protocol message to the stream listener port. Under specific runtime conditions that the attacker cannot fully control, the malformed message triggers a heap buffer over-read in the NGINX worker process, causing it to crash and restart - interrupting active MQTT connections for the duration of the respawn cycle. …
Remediation Apply the vendor-released patch by upgrading to the fixed NGINX Plus version specified in F5 advisory K000162101 (https://my.f5.com/manage/s/article/K000162101); the advisory provides exact version targets and upgrade procedures. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Share

CVE-2026-60065 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy