CVE Catalog

CVE-2026-40460

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

30th percentile - higher than 30% of all known CVEs

Summary

In NGINX Plus and NGINX Open Source with the HTTP/3 QUIC module enabled, an attacker can spoof their source IP address, bypassing authorization or rate limiting.

Risk Assessment

The organization faces risks of unauthorized access to resources and server overload due to bypassed rate limits.

Recommendation

Immediately update NGINX to the latest patched version and disable the HTTP/3 QUIC module if not required.

Original NVD description (English source)

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS