Skip to main content

Nginx Instance Manager

8 CVEs product

Monthly

CVE-2026-60062 MEDIUM PATCH This Month

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.

Nginx Path Traversal Nginx Agent Nginx Instance Manager
NVD
CVSS 4.0
5.3
CVE-2026-1642 MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source Nginx Instance Manager Nginx Gateway Fabric +3
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2024-10318 MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx Nginx Api Connectivity Manager Nginx Ingress Controller +2
NVD
CVSS 4.0
5.1
EPSS
0.3%
CVE-2024-7634 MEDIUM This Month

NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nginx Nginx Agent Nginx Instance Manager
NVD
CVSS 4.0
6.9
EPSS
0.5%
CVE-2023-28724 HIGH This Week

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nginx Nginx Api Connectivity Manager Nginx Instance Manager Nginx Security Monitoring
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2023-28656 HIGH This Week

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Cloud Backup Ontap Select Deploy Nginx Api Connectivity Manager +2
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2023-1550 MEDIUM This Month

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Agent Nginx Instance Manager
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-35241 MEDIUM This Month

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Denial Of Service Nginx Instance Manager
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVSS 5.3
MEDIUM PATCH This Month

Path traversal in F5 NGINX Agent via the config_dirs directive enables a remotely authenticated low-privileged attacker to read and write files outside of the directories designated as secure in the agent's configuration. The config_dirs directive can be set directly in the NGINX Agent configuration or through NGINX Instance Manager, expanding the attack surface across both products. No public exploit code or active exploitation has been identified at time of analysis, and a vendor patch is available per F5 advisory K000161971.

Nginx Path Traversal Nginx Agent +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.

Nginx Nginx Ingress Controller Nginx Open Source +5
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nginx +4
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nginx Nginx Agent +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Nginx Nginx Api Connectivity Manager +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Cloud Backup +4
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Insertion of Sensitive Information into log file vulnerability in NGINX Agent. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Nginx Nginx Agent +1
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In versions 2.x before 2.3.1 and all versions of 1.x, when NGINX Instance Manager is in use, undisclosed requests can cause an increase in disk resource utilization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nginx Denial Of Service Nginx Instance Manager
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy