F5 Out-of-Band Security Alert: Multiple Vulnerabilities Unveiled in NGINX Plus and Open Source
Ddos 
In a significant out-of-band security notification released on March 24, 2026, F5 has disclosed several critical and high-severity vulnerabilities affecting both NGINX Plus and NGINX Open Source. The advisory details a range of flawsβfrom buffer overflows in media modules to authentication-related crashesβthat could allow unauthenticated attackers to disrupt web services or potentially execute malicious code.
The most pressing vulnerabilities target core NGINX modules, with CVSS scores reaching as high as 8.8.
DAV Module Buffer Overflow (CVE-2026-27654) CVSS Score: 8.8 (High)
A vulnerability in the ngx_http_dav_module could allow an attacker to trigger a buffer overflow in the NGINX worker process. This flaw can lead to the “termination of the NGINX worker process or modification of source or destination file names outside the document root”. This issue specifically impacts systems using the DAV module’s MOVE or COPY methods in combination with alias directives.
MP4 Module Buffer Over-read/write (CVE-2026-27784 & CVE-2026-32647) CVSS Score: 8.5 (High)
Two significant flaws were discovered in the ngx_http_mp4_module. These vulnerabilities can be triggered by a “specially crafted MP4 file”.
- CVE-2026-27784: On 32-bit implementations of NGINX Open Source, an attacker could over-read or over-write worker memory, leading to a denial-of-service (DoS).
- CVE-2026-32647: This broader flaw affects both Plus and Open Source versions and might allow an attacker to “trigger a buffer over-read or over-write… resulting in its termination or possibly code execution”.
The MP4 module is not enabled by default in the Open Source edition and must be explicitly enabled to be vulnerable. However, it is included by default in NGINX Plus.
Mail Module Vulnerability (CVE-2026-27651) CVSS Score: 8.7 (High)
A third high-severity issue targets the ngx_mail_auth_http_module. When CRAM-MD5 or APOP authentication is enabled, undisclosed requests can cause worker processes to terminate. This vulnerability allows a remote, unauthenticated attacker to cause a DoS by repeatedly crashing the NGINX system as worker processes restart.
Impact and Remediation
F5 emphasizes that while many of these flaws are “data plane” issuesβmeaning they do not expose the control planeβthey still cause significant service disruption during process restarts.
F5 has introduced fixes across several branches. Administrators are urged to update to the following versions or later:
| Affected Product | Affected Versions | Fixes Introduced In |
| NGINX Plus | R32 – R36 | R36 P3 / R35 P2 / R32 P5 |
| NGINX Open Source | 1.0.0 – 1.29.6 | 1.29.7 |
| NGINX Open Source | 0.5.13 – 0.9.7 | 1.28.3 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
