{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1642", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2026-01-29T18:26:26.996Z", "datePublished": "2026-02-04T15:02:06.154Z", "dateUpdated": "2026-02-05T05:25:39.303Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "NGINX Open Source", "vendor": "F5", "versions": [{"changes": [{"at": "1.28.2", "status": "unaffected"}], "lessThan": "1.29.5", "status": "affected", "version": "1.3.0", "versionType": "semver"}]}, {"defaultStatus": "unknown", "product": "NGINX Plus", "vendor": "F5", "versions": [{"lessThan": "R36 P2", "status": "affected", "version": "R36", "versionType": "custom"}, {"lessThan": "R35 P1", "status": "affected", "version": "R35", "versionType": "custom"}, {"lessThan": "*", "status": "affected", "version": "R34", "versionType": "custom"}, {"lessThan": "*", "status": "affected", "version": "R33", "versionType": "custom"}, {"lessThan": "R32 P4", "status": "affected", "version": "R32", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "datePublic": "2026-02-04T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker's control\u2014may be able to inject plain text data into the response from an upstream proxied server.&nbsp;&nbsp;</span></span>Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n</span><br>"}], "value": "A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker's control\u2014may be able to inject plain text data into the response from an upstream proxied server.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-349", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-02-04T15:02:06.154Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000159824"}], "source": {"discovery": "INTERNAL"}, "title": "NGINX vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:01:47.913148Z", "id": "CVE-2026-1642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:02:24.781Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/05/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T05:25:39.303Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/02/05/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-05T05:25:39.303Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:01:47.913148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:02:17.994Z"}}], "cna": {"title": "NGINX vulnerability", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "product": "NGINX Open Source", "versions": [{"status": "affected", "changes": [{"at": "1.28.2", "status": "unaffected"}], "version": "1.3.0", "lessThan": "1.29.5", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "NGINX Plus", "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P2", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P1", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P4", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2026-02-04T15:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000159824", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker's control\u2014may be able to inject plain text data into the response from an upstream proxied server.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker's control\u2014may be able to inject plain text data into the response from an upstream proxied server.&nbsp;&nbsp;</span></span>Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-02-04T15:02:06.154Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1642", "state": "PUBLISHED", "dateUpdated": "2026-02-05T05:25:39.303Z", "dateReserved": "2026-01-29T18:26:26.996Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2026-02-04T15:02:06.154Z", "assignerShortName": "f5"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE3A85CC-50DD-4BE7-A8BF-F2AA2744FCDB", "versionEndIncluding": "1.6.2", "versionStartIncluding": "1.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*", "matchCriteriaId": "95483FC6-1850-4C56-95C6-D65AEF39C5E4", "versionEndExcluding": "2.4.1", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "53459EB1-5EAE-4F38-86CC-303408A91124", "versionEndIncluding": "3.7.2", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "73A1CDBB-49F6-4AB6-AA67-542FD8017D6A", "versionEndIncluding": "4.0.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "48DC8DC2-497F-48F9-A68B-8EA8DAA507E0", "versionEndExcluding": "5.3.3", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "05880D9D-7C68-42A8-9374-8BF4E6403757", "versionEndIncluding": "2.21.0", "versionStartIncluding": "2.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "156F74E8-589F-43FC-AD64-74E2BFD11A62", "versionEndExcluding": "1.28.2", "versionStartIncluding": "1.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "6205FEE4-C23C-4FBA-953D-35E8B8644D64", "versionEndExcluding": "1.29.5", "versionStartIncluding": "1.29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7600A88-7651-4D8E-A04A-3AA81C850CC5", "versionEndExcluding": "r35", "versionStartIncluding": "r33", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*", "matchCriteriaId": "36C4308E-651E-437C-84E7-10C542E3ADC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*", "matchCriteriaId": "FA913184-EAAD-409E-99C6-AB979DAA93F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*", "matchCriteriaId": "782DF180-1101-4D6A-A1D7-8DADBAF6D9D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*", "matchCriteriaId": "FB0B11F2-4748-492B-9906-F8C4C5EAFF12", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*", "matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*", "matchCriteriaId": "43477C2E-7485-4146-B25C-F58D632CD85B", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*", "matchCriteriaId": "6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*", "matchCriteriaId": "7453D683-FCA7-46EE-BE49-5FD9A01D7F87", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*", "matchCriteriaId": "A977BF9F-D165-4B93-B4D2-A177883A5E75", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*", "matchCriteriaId": "5D5FFD66-35C3-41AD-BD77-510E34A3AC6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*", "matchCriteriaId": "E7E5F940-048A-446F-9A1E-074612CEA1AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*", "matchCriteriaId": "7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side\u2014along with conditions beyond the attacker's control\u2014may be able to inject plain text data into the response from an upstream proxied server.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "id": "CVE-2026-1642", "lastModified": "2026-02-13T21:35:01.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2026-02-04T15:16:14.190", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000159824"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/02/05/1"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-349"}], "source": "f5sirt@f5.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections", "id": "2436738", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436738"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-349", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-1642", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx:1.26/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:insights_proxy:1", "fix_state": "Affected", "package_name": "insights-proxy/insights-proxy-container-rhel9", "product_name": "Red Hat Lightspeed proxy 1"}], "public_date": "2026-02-04T15:02:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1642\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1642\nhttps://my.f5.com/manage/s/article/K000159824"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T20:09:50.174408+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest patched release of NGINX OSS or NGINX Plus that fixes the TLS proxy injection flaw.", "Configure NGINX to validate upstream server certificates and enforce strict hostname verification, reducing the risk of a MITM attacker injecting data.", "Restrict proxy_pass directives to trusted, verified upstream endpoints and disable overly permissive proxy settings that could allow injection.", "Where possible, isolate upstream TLS services from the NGINX host or apply network segmentation to limit exposure to potential MITM actors."], "summary": {"action": "Patch Immediately", "impact": "Plain Text Injection"}, "threat_synthesis": {"affected_systems": "Affected products include F5\u2019s NGINX Open Source distribution and all supported releases of F5 NGINX Plus that contain TLS proxy functionality, ranging from r32 to r36 as enumerated in the CPE list. End\u2011of\u2011support versions have not been evaluated for this issue.", "description_and_impact": "The vulnerability originates in NGINX proxy logic that processes TLS upstream connections. When an attacker can sit in a man\u2011in\u2011the\u2011middle position on the upstream TLS server side, the proxy may mistakenly incorporate plain text data from the upstream server into the HTTP response that it forwards to downstream clients. This results in content tampering or unintended data disclosure, but does not grant the attacker code execution or broader system compromise. The flaw is classified as CWE\u2011345 and CWE\u2011349.", "risk_and_exploitability": "The CVSS score of 8.2 marks the flaw as high severity, while an EPSS score of less than 1\u202f% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Successful exploitation requires an attacker to control the upstream TLS endpoint or otherwise achieve a MITM position, under conditions that are not trivially achievable."}}}}, "created": "2026-02-04T21:17:45.794163+00:00", "title": "NGINX Proxy TLS Plain Text Injection Vulnerability", "updated": "2026-04-18T20:15:09.550155+00:00", "vendors": ["f5", "f5$PRODUCT$nginx_open_source", "f5$PRODUCT$nginx_plus"]}