CVE-2026-1642

Unknown Unknown - Not Provided

TLS Proxy Injection Vulnerability in NGINX OSS and Plus

Publication date: 2026-02-04

Last updated on: 2026-02-13

Assigner: F5 Networks

Description

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-04

Last Modified

2026-02-13

Generated

2026-06-16

AI Q&A

2026-02-04

EPSS Evaluated

2026-06-15

NVD

CVE-2026-1642

EUVD

EUVD-2026-5498

Affected Vendors & Products

Vendor	Product	Version / Range
f5	nginx_plus	r32
f5	nginx_plus	r32
f5	nginx_plus	r32
f5	nginx_plus	r33
f5	nginx_plus	r33
f5	nginx_plus	r34
f5	nginx_gateway_fabric	From 1.2.0 (inc) to 1.6.2 (inc)
f5	nginx_ingress_controller	From 3.4.0 (inc) to 3.7.2 (inc)
f5	nginx_ingress_controller	From 4.0.0 (inc) to 4.0.1 (inc)
f5	nginx_instance_manager	From 2.15.1 (inc) to 2.21.0 (inc)
f5	nginx_open_source	From 1.29.0 (inc) to 1.29.5 (exc)
f5	nginx_open_source	From 1.3.0 (inc) to 1.28.2 (exc)
f5	nginx_plus	r32
f5	nginx_plus	r33
f5	nginx_plus	r34
f5	nginx_plus	r35
f5	nginx_plus	r36
f5	nginx_plus	r36
f5	nginx_gateway_fabric	From 2.0.0 (inc) to 2.4.1 (exc)
f5	nginx_ingress_controller	From 5.0.0 (inc) to 5.3.3 (exc)
f5	nginx_plus	From r33 (inc) to r35 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-345	The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-349	The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

Attack-Flow Graph

Executive Summary

This vulnerability exists in NGINX OSS and NGINX Plus when they are configured to proxy to upstream Transport Layer Security (TLS) servers.

An attacker who is in a man-in-the-middle (MITM) position on the upstream server side, and under certain conditions beyond the attacker's control, may be able to inject plain text data into the response from the upstream proxied server.

Impact Analysis

The vulnerability can allow an attacker positioned as a man-in-the-middle on the upstream server side to inject plain text data into responses from the proxied server.

This could lead to integrity issues where the data received by clients is altered without their knowledge.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-1642. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1642

TLS Proxy Injection Vulnerability in NGINX OSS and Plus

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart