CVE-2026-1642

Q: What is the severity of CVE-2026-1642?

CVE-2026-1642 has a CVSS score of 5.9 (MEDIUM). A vulnerability in NGINX OSS and NGINX Plus allows attackers in a man-in-the-middle position on the upstream server side to inject plain text data into responses from proxied TLS servers. This affects organizations using NGINX as a reverse proxy to upstream TLS servers. The vulnerability requires specific MITM conditions beyond the attacker's control.

5.9 MEDIUM

📋 TL;DR

A vulnerability in NGINX OSS and NGINX Plus allows attackers in a man-in-the-middle position on the upstream server side to inject plain text data into responses from proxied TLS servers. This affects organizations using NGINX as a reverse proxy to upstream TLS servers. The vulnerability requires specific MITM conditions beyond the attacker's control.

💻 Affected Systems

Products:

NGINX OSS
NGINX Plus

Versions: Specific versions not provided in CVE description; check vendor advisory for details

Operating Systems: All platforms running affected NGINX versions

Default Config Vulnerable: ✅ No

Notes: Only affects configurations where NGINX proxies to upstream TLS servers. End-of-Technical-Support versions are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious content into responses, potentially leading to data corruption, client-side attacks, or manipulation of sensitive data.

🟠

Likely Case

Limited data injection into specific responses, potentially causing data integrity issues or minor service disruption.

🟢

If Mitigated

Minimal impact with proper network segmentation and TLS validation controls in place.

🌐 Internet-Facing: MEDIUM - Requires MITM position on upstream side, which is less common for internet-facing proxies.

🏢 Internal Only: MEDIUM - Internal networks may have more opportunities for MITM positioning on upstream connections.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires MITM position on upstream server side plus additional conditions beyond attacker's control.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000159824

Restart Required: Yes

Instructions:

1. Check vendor advisory for affected versions. 2. Update to patched version. 3. Restart NGINX service. 4. Verify configuration remains valid.

🔧 Temporary Workarounds

Network Segmentation

all

Implement strict network controls to prevent MITM attacks on upstream connections

TLS Certificate Validation

linux

Ensure proper TLS certificate validation is enabled for upstream connections

nginx -t # Test configuration
systemctl reload nginx # Reload if using systemd

🧯 If You Can't Patch

Implement strict network segmentation between NGINX and upstream TLS servers
Monitor upstream connections for unusual activity or data injection attempts

🔍 How to Verify

Check if Vulnerable:

Check NGINX version and configuration for proxy_pass directives to upstream TLS servers

Check Version:

nginx -v

Verify Fix Applied:

Verify NGINX version is updated to patched version and configuration is properly secured

📡 Detection & Monitoring

Log Indicators:

Unexpected data patterns in upstream responses
TLS handshake anomalies with upstream servers

Network Indicators:

Unusual traffic patterns between NGINX and upstream TLS servers
MITM detection alerts

SIEM Query:

Search for: 'nginx upstream error' OR 'tls handshake failed' near proxy_pass operations

📊 Metadata

CVE ID: CVE-2026-1642

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-349

EPSS Score: 0.02% exploit probability (2.7th percentile)

Published: February 4, 2026

Last Updated: February 13, 2026

🔗 References

https://my.f5.com/manage/s/article/K000159824 Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/05/1 Mailing List,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nginx Gateway Fabric by F5

Nginx Gateway Fabric by F5

Nginx Ingress Controller by F5

Nginx Ingress Controller by F5

Nginx Ingress Controller by F5

Nginx Instance Manager by F5

Nginx Open Source by F5

Nginx Open Source by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

Nginx Plus by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

TLS Certificate Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities