Main Vulnerability Database Vulnerabilities #VU122335

#VU122335 Acceptance of extraneous untrusted data with trusted data in nginx and NGINX Plus - CVE-2026-1642

Published: February 5, 2026

Vulnerability identifier: #VU122335

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:U/U:Green

CVE-ID: CVE-2026-1642

CWE-ID: CWE-349

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
nginx
NGINX Plus

Software vendor:
F5 Networks

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect handling of trusted and untrusted data when configured to proxy to upstream Transport Layer Security (TLS) servers. A remote unauthenticated attacker with an MITM position on the upstream server side can inject plain text data into the responses from an upstream proxied server and send them to clients.

Remediation

Install updates from vendor's website.

External links

https://my.f5.com/manage/s/article/K000159824

#VU122335 Acceptance of extraneous untrusted data with trusted data in nginx and NGINX Plus - CVE-2026-1642

Description

Remediation

External links

Please verify you're human