CVE-2026-40460 | THREATINT

Description

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-13 | Updated 2026-05-13 | Assigner f5

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-290 Authentication Bypass by Spoofing

Product status

Default status

unknown

R37 (custom) before *

unaffected

R36 (custom) before R36 P4

affected

R32 (custom) before R32 P6

affected

Default status

unaffected

1.31.0 (semver) before *

unaffected

1.26.0 (semver) before 1.30.1

affected

Credits

F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

my.f5.com/manage/s/article/K000161068 vendor-advisory patch

cve.org (CVE-2026-40460)

nvd.nist.gov (CVE-2026-40460)

Download JSON