CVE-2026-11311
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
In NGINX Gateway Fabric, when NGINX Plus is configured as the data plane, an injection vulnerability exists in the NGINX configuration generator component. User-supplied string values from the serverTokens field of the NginxProxy Custom Resource Definition and the extraAuthArgs field of the AuthenticationFilter Custom Resource Definition are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may inject arbitrary NGINX configuration directives.
Risk Assessment
The risk is that an authenticated attacker could gain control over NGINX configuration, potentially compromising the integrity and security of the entire infrastructure. This is a control plane issue with no direct data plane exposure, but the impact can be severe.
Recommendation
It is recommended to immediately apply patches provided by the vendor for NGINX Gateway Fabric and restrict permissions to create or modify NginxProxy and AuthenticationFilter resources to trusted administrators only.
Original NVD description (English source)
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

