CVE-2026-1642

EPSS 0.02%
Veröffentlicht 04.02.2026 15:02:06
Zuletzt bearbeitet 13.02.2026 21:35:01
Quelle f5sirt@f5.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

F5 ≫ Nginx Gateway Fabric Version >= 1.2.0 <= 1.6.2

F5 ≫ Nginx Gateway Fabric Version >= 2.0.0 < 2.4.1

F5 ≫ Nginx Ingress Controller Version >= 3.4.0 <= 3.7.2

F5 ≫ Nginx Ingress Controller Version >= 4.0.0 <= 4.0.1

F5 ≫ Nginx Ingress Controller Version >= 5.0.0 < 5.3.3

F5 ≫ Nginx Instance Manager Version >= 2.15.1 <= 2.21.0

F5 ≫ Nginx Open Source Version >= 1.3.0 < 1.28.2

F5 ≫ Nginx Open Source Version >= 1.29.0 < 1.29.5

F5 ≫ Nginx Plus Version >= r33 < r35

F5 ≫ Nginx Plus Versionr32 Update-

F5 ≫ Nginx Plus Versionr32 Updatep1

F5 ≫ Nginx Plus Versionr32 Updatep2

F5 ≫ Nginx Plus Versionr32 Updatep3

F5 ≫ Nginx Plus Versionr33 Updatep1

F5 ≫ Nginx Plus Versionr33 Updatep2

F5 ≫ Nginx Plus Versionr33 Updatep3

F5 ≫ Nginx Plus Versionr34 Updatep1

F5 ≫ Nginx Plus Versionr34 Updatep2

F5 ≫ Nginx Plus Versionr35 Update-

F5 ≫ Nginx Plus Versionr36 Update-

F5 ≫ Nginx Plus Versionr36 Updatep1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.033

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f5sirt@f5.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f5sirt@f5.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

https://my.f5.com/manage/s/article/K000159824

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/02/05/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-1642

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1642

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1642

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-1642