5.4

CVE-2026-28755

NGINX ngx_stream_ssl_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
F5Nginx Plus Versionr33
F5Nginx Plus Versionr33 Updatep1
F5Nginx Plus Versionr33 Updatep2
F5Nginx Plus Versionr33 Updatep3
F5Nginx Plus Versionr34
F5Nginx Plus Versionr34 Updatep1
F5Nginx Plus Versionr34 Updatep2
F5Nginx Plus Versionr35 Updatep1
F5Nginx Plus Versionr36
F5Nginx Plus Versionr36 Updatep1
F5Nginx Plus Versionr36 Updatep2
F5Nginx Open Source Version >= 0.5.13 <= 0.9.7
F5Nginx Open Source Version >= 1.27.2 < 1.28.3
F5Nginx Open Source Version >= 1.29.0 < 1.29.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.01% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
f5sirt@f5.com 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f5sirt@f5.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.