CVE-2026-28755
Awaiting Analysis
Awaiting Analysis - Queue
Improper Revoked Certificate Validation in NGINX TLS Module
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: F5 Networks
Description
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Β
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| f5 | nginx_plus | r33 |
| f5 | nginx_plus | r33 |
| f5 | nginx_plus | r34 |
| f5 | nginx_plus | r33 |
| f5 | nginx_plus | r34 |
| f5 | nginx_plus | r36 |
| f5 | nginx_plus | r33 |
| f5 | nginx_plus | r34 |
| f5 | nginx_plus | r35 |
| f5 | nginx_plus | r36 |
| f5 | nginx_plus | r36 |
| f5 | nginx_open_source | From 0.5.13 (inc) to 0.9.7 (inc) |
| f5 | nginx_open_source | From 1.27.2 (inc) to 1.28.3 (exc) |
| f5 | nginx_open_source | From 1.29.0 (inc) to 1.29.7 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
