CVE-2026-11311
Analyzed Analyzed - Analysis Complete

Authentication Directive Injection in NGINX Gateway Fabric

Vulnerability report for CVE-2026-11311, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-07-02

Assigner: F5 Networks

Description

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-07-02
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
f5 nginx_gateway_fabric From 2.5.0 (inc) to 2.6.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-76 The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

This vulnerability arises from unsanitized user-supplied string values in the NGINX configuration generator component of NGINX Gateway Fabric. To mitigate this vulnerability, ensure that only trusted and authenticated users with permission to create or modify the Custom Resource Definitions (NginxProxy serverTokens field and AuthenticationFilter extraAuthArgs field) are allowed to do so.

Additionally, review and restrict permissions to prevent unauthorized modification of these Custom Resource Definitions. Since this is a control plane issue with no direct data plane exposure, focus on access control and validation of inputs before they are rendered into NGINX configuration templates.

Executive Summary

This vulnerability exists in NGINX Plus when it is configured as the data plane for NGINX Gateway Fabric. It is an injection vulnerability in the NGINX configuration generator component of NGINX Gateway Fabric.

Specifically, user-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are inserted directly into NGINX configuration templates without any sanitization or escaping.

An authenticated attacker who has permission to create or modify these Custom Resource Definitions can craft values that inject arbitrary NGINX configuration directives, potentially altering the behavior of the NGINX configuration.

This is a control plane issue, meaning the vulnerability affects configuration management rather than the data plane itself, and there is no direct data plane exposure from triggering this vulnerability.

Impact Analysis

This vulnerability can allow an authenticated attacker with permission to modify certain Custom Resource Definitions to inject arbitrary configuration directives into NGINX.

Such injection could lead to unauthorized changes in the behavior of the NGINX server, potentially compromising the security or stability of the system.

Because the vulnerability is in the control plane, it may allow attackers to manipulate configuration settings, which could result in denial of service, bypass of security controls, or other unintended behaviors.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart