CVE-2026-11311
Awaiting Analysis Awaiting Analysis - Queue
Authentication Directive Injection in NGINX Gateway Fabric

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: F5 Networks

Description
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-11311
EUVD
EUVD-2026-37720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginx nginx_plus *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-76 The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NGINX Plus when it is configured as the data plane for NGINX Gateway Fabric. It is an injection vulnerability in the NGINX configuration generator component of NGINX Gateway Fabric.

Specifically, user-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are inserted directly into NGINX configuration templates without any sanitization or escaping.

An authenticated attacker who has permission to create or modify these Custom Resource Definitions can craft values that inject arbitrary NGINX configuration directives, potentially altering the behavior of the NGINX configuration.

This is a control plane issue, meaning the vulnerability affects configuration management rather than the data plane itself, and there is no direct data plane exposure from triggering this vulnerability.

Impact Analysis

This vulnerability can allow an authenticated attacker with permission to modify certain Custom Resource Definitions to inject arbitrary configuration directives into NGINX.

Such injection could lead to unauthorized changes in the behavior of the NGINX server, potentially compromising the security or stability of the system.

Because the vulnerability is in the control plane, it may allow attackers to manipulate configuration settings, which could result in denial of service, bypass of security controls, or other unintended behaviors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11311. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart