CVE-2026-32682
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A vulnerability in NGINX Gateway Fabric allows an authenticated remote attacker with permission to create or modify GRPCRoute resources to cause the control plane to terminate by sending specially crafted GRPCRoute configurations containing backendRef filters.
Risk Assessment
The risk is a potential DoS attack on the NGINX Gateway Fabric control plane, which can disrupt services managed by the gateway and impact application availability.
Recommendation
It is recommended to immediately update NGINX Gateway Fabric to the latest available version containing a fix for this vulnerability, and restrict permissions to create or modify GRPCRoute resources to trusted users only.
Original NVD description (English source)
When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

