CVE-2026-40460 MEDIUM

CVE-2026-40460: NGINX ngx_quic_module vulnerability

Vendor F5

Product NGINX Plus

Weakness CWE-290

Published May 13, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

Description

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Key dates

Disclosure timeline

May 13, 2026 CVE published

May 13, 2026 Record updated

Identifiers

CVE CVE-2026-40460

CWE CWE-290

CVSS 6.5 / MEDIUM

Affected versions

Vendor F5

Product NGINX Plus

Affected ≥ R36 and < R36 P4

Vendor F5

Product NGINX Plus

Affected ≥ R32 and < R32 P6

Vendor F5

Product NGINX Open Source

Affected ≥ 1.26.0 and < 1.30.1