CVE-2026-50107
Analyzed Analyzed - Analysis Complete

NGINX Gateway Fabric Configuration Injection Vulnerability

Vulnerability report for CVE-2026-50107, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-22

Assigner: F5 Networks

Description

When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-22
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
f5 nginx_gateway_fabric From 2.3.0 (inc) to 2.6.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric when NGINX Plus or NGINX Open Source is used as the data plane. It occurs because user-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are inserted directly into NGINX configuration templates without proper sanitization or escaping.

An authenticated attacker who has permission to create or modify these CRDs can exploit this flaw by crafting values that inject arbitrary NGINX configuration directives, potentially altering the behavior of the NGINX configuration.

This is a control plane issue, meaning the vulnerability affects the configuration management side rather than the data plane itself, and there is no direct data plane exposure from triggering this vulnerability.

Impact Analysis

Exploitation of this vulnerability allows an authenticated user with permission to modify NginxProxy CRDs to inject arbitrary configuration directives into the NGINX configuration.

This can lead to unauthorized changes in the behavior of the NGINX server, potentially causing security policy bypasses, misrouting of traffic, or other unintended effects controlled by the injected configuration.

Since the vulnerability is in the control plane, it does not directly expose data plane traffic but can indirectly impact the security and stability of the system by altering configuration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50107. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart