CVE Catalog

CVE-2026-11311

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.57%

43th percentile — higher than 43% of all known CVEs

Summary

In NGINX Gateway Fabric, when NGINX Plus is configured as the data plane, an injection vulnerability exists in the NGINX configuration generator component. User-supplied string values from the serverTokens field of the NginxProxy Custom Resource Definition and the extraAuthArgs field of the AuthenticationFilter Custom Resource Definition are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may inject arbitrary NGINX configuration directives.

Risk Assessment

The risk is that an authenticated attacker could gain control over NGINX configuration, potentially compromising the integrity and security of the entire infrastructure. This is a control plane issue with no direct data plane exposure, but the impact can be severe.

Recommendation

It is recommended to immediately apply patches provided by the vendor for NGINX Gateway Fabric and restrict permissions to create or modify NginxProxy and AuthenticationFilter resources to trusted administrators only.

Original NVD description (English source)

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS