CVE-2026-1642 MEDIUM

CVE-2026-1642: NGINX vulnerability

Vendor F5

Product NGINX Open Source

Weakness CWE-349

Published February 4, 2026

Last update February 5, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

Description

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Key dates

Disclosure timeline

February 4, 2026 CVE published

February 5, 2026 Record updated

Identifiers

CVE CVE-2026-1642

CWE CWE-349

CVSS 5.9 / MEDIUM

Affected versions

Vendor F5

Product NGINX Open Source

Affected ≥ 1.3.0 and < 1.29.5

Vendor F5

Product NGINX Plus

Affected ≥ R36 and < R36 P2

Vendor F5

Product NGINX Plus

Affected ≥ R35 and < R35 P1

Vendor F5

Product NGINX Plus

Affected ≥ R34 and < *

Vendor F5

Product NGINX Plus

Affected ≥ R33 and < *

Vendor F5

Product NGINX Plus

Affected ≥ R32 and < R32 P4