CVE-2026-42926 | THREATINT

Description

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-13 | Updated 2026-05-13 | Assigner f5

MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Problem types

CWE-172 Encoding Error

Product status

Default status

unaffected

1.31.0 (semver) before *

unaffected

1.29.4 (semver) before 1.30.1

affected

Credits

F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and 章鱼哥 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

my.f5.com/manage/s/article/K000161131 vendor-advisory patch

cve.org (CVE-2026-42926)

nvd.nist.gov (CVE-2026-42926)

Download JSON