F5 has issued an urgent security advisory addressing multiple high-severity vulnerabilities in NGINX, a widely used web server and reverse proxy. These flaws could allow attackers to execute arbitrary code and initiate denial-of-service (DoS) attacks on affected systems.
The advisory, released on June 17, 2026, identifies several critical issues impacting NGINX Open Source, NGINX Plus, and related products such as NGINX Gateway Fabric and NGINX Ingress Controller. Some vulnerabilities have been assigned CVSS v4.0 scores as high as 9.2, indicating a significant risk to organizations relying on NGINX for web and application delivery.
Key Vulnerabilities and Affected Versions
One of the most critical vulnerabilities, tracked as CVE-2026-42530, resides in the ngx_http_v3_module of NGINX. This flaw affects NGINX Open Source versions 1.31.0 and 1.31.1 and has been patched in version 1.31.2. Exploitation could lead to memory corruption, potentially enabling remote code execution or service disruption.
Another high-risk vulnerability, CVE-2026-42055, impacts the ngx_http_proxy_v2_module and ngx_http_grpc_module. This issue affects both NGINX Open Source and NGINX Plus deployments. Attackers could exploit this flaw to trigger DoS conditions or execute malicious code under specific configurations.
F5 has addressed these vulnerabilities in NGINX Open Source versions 1.30.3 and 1.31.2, as well as NGINX Plus release 37.0.2.1 and R36 P6. Administrators are strongly advised to upgrade to these patched versions immediately to mitigate potential risks.
Additional Vulnerabilities in NGINX Gateway Fabric
F5 also disclosed additional vulnerabilities in NGINX Gateway Fabric, including CVE-2026-11311 and CVE-2026-50107, both rated high severity. These flaws affect versions 2.3.0 through 2.6.3 and have been fixed in version 2.6.4. Exploitation of these issues could result in service instability or unauthorized behavior within Kubernetes-based environments where Gateway Fabric is deployed.
In addition to high-severity flaws, the advisory includes medium-severity vulnerabilities such as CVE-2026-48142, which affects the ngx_http_charset_module. While less critical, this issue could still be leveraged to impact application behavior or degrade service reliability if left unpatched.
Mitigation and Recommendations
Several F5 and NGINX-related products, including NGINX Instance Manager, NGINX App Protect, and F5 WAF for NGINX, are affected but currently lack direct fixes. F5 recommends applying mitigations and monitoring configurations until patches are released for these components.
Given the widespread use of NGINX in modern web infrastructure, these vulnerabilities present attractive targets for attackers. F5’s advisory warns that vulnerable internet-facing systems are at greatest risk and should be updated to the latest patched releases without delay. Where upgrades are not possible, administrators should implement temporary mitigations, such as restricting access, turning off vulnerable modules, and monitoring logs for suspicious activity.
This out-of-band release underscores the urgency of the vulnerabilities and the potential impact on production systems. Timely patching is critical to reducing the attack surface, especially considering the combination of remote exploitation potential and high severity scores.
F5 continues to provide updates and detailed technical guidance through its official advisory portal. Users are encouraged to subscribe to security notifications to stay informed about the latest developments and recommended actions.
In the broader context, this incident highlights the importance of proactive vulnerability management and the need for organizations to maintain robust patching practices. As cyber threats evolve, staying ahead of potential exploits through timely updates and vigilant monitoring remains a cornerstone of effective cybersecurity strategy.
