CVE Catalog

CVE-2026-50107

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

In NGINX Plus or NGINX Open Source configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component. User-supplied string values from the NginxProxy Custom Resource Definition access log format setting are rendered without sanitization, allowing for the injection of arbitrary NGINX configuration directives.

Risk Assessment

This vulnerability could be exploited by an authenticated attacker to inject malicious directives into the NGINX configuration, potentially leading to unauthorized access or changes in system behavior. Although there is no direct exposure of the data plane, control over the configuration can have serious consequences.

Recommendation

It is recommended to review and update the NGINX configuration to ensure proper sanitization of user-supplied values. Additionally, permissions for creating or modifying CRDs should be restricted to trusted users.

Original NVD description (English source)

When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS