DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1642: NGINX Upstream TLS Injection: Racing the Handshake

#security #cve #cybersecurity

NGINX Upstream TLS Injection: Racing the Handshake

Vulnerability ID: CVE-2026-1642
CVSS Score: 8.2
Published: 2026-02-04

A high-severity race condition in NGINX's event loop allows a Man-in-the-Middle attacker to bypass upstream TLS protections entirely. By injecting a plain text HTTP response immediately after TCP connection establishment—but before the TLS handshake begins—an attacker can trick NGINX into processing and serving the malicious payload as if it came from the trusted backend.

TL;DR

NGINX checks for incoming data (Read Event) before sending the TLS Client Hello (Write Event) on new upstream connections. Attackers can race this logic by sending plain text HTTP immediately upon TCP connect. NGINX accepts the unencrypted data, skipping TLS negotiation.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-349
  • CVSS v4.0: 8.2 (High)
  • CVSS v3.1: 5.9 (Medium)
  • Attack Vector: Network (MITM)
  • Impact: Integrity (High)
  • EPSS Score: 0.00012 (~1.44%)
  • Patch Commit: 376c3739b633e4ddac8ecf59d72e43b0b9151c51

Affected Systems

  • NGINX Open Source
  • NGINX Plus
  • Kubernetes Ingress Controllers (using affected NGINX versions)
  • Load Balancers based on NGINX
  • NGINX Open Source: 1.3.0 - 1.29.4 (Fixed in: 1.29.5)
  • NGINX Plus: R36 < P2 (Fixed in: R36 P2)

Code Analysis

Commit: 376c373

Upstream: fixed potential plain text injection in SSL connections.

--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -2508,6 +2508,15 @@
+#if (NGX_HTTP_SSL)
+        if (u->ssl && c->ssl == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "upstream prematurely sent response");
+            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+            return;
+        }
+#endif
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Analysis of the patch indicates trivial exploitation for any MITM capable of TCP stream manipulation.

Mitigation Strategies

  • Upgrade NGINX binaries immediately
  • Implement strict network segmentation between proxy and upstream
  • Enable mTLS (Mutual TLS) where possible to harden connections

Remediation Steps:

  1. Identify current NGINX version: nginx -v
  2. If OSS version is < 1.29.5 (mainline) or < 1.28.2 (stable), schedule downtime.
  3. Download and compile the patched source or install via package manager.
  4. Restart NGINX service.
  5. Verify fix by monitoring logs for 'upstream prematurely sent response' errors.

References

Read the full report for CVE-2026-1642 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)