A newly disclosed vulnerability in NGINX web servers could allow attackers positioned between servers and upstream systems to manipulate data flowing to end users, potentially compromising the integrity of millions of web applications worldwide.
F5 Networks revealed CVE-2026-1642 on February 4, 2026, affecting both NGINX Open Source (versions 1.3.0 through 1.29.4) and NGINX Plus (releases R32 through R36). The flaw specifically targets deployments where NGINX proxies traffic to upstream Transport Layer Security (TLS) servers—a common configuration in modern web infrastructure handling everything from e-commerce transactions to API gateways.
The vulnerability's mechanics are particularly insidious. When an attacker achieves a man-in-the-middle position on the upstream server side, they can inject plaintext data into responses that NGINX then forwards to clients. While exploitation requires the attacker to control network positioning and depends on conditions beyond their direct control, successful attacks could alter application behaviour, manipulate displayed content, or undermine the trustworthiness of server responses.
F5 classifies this as CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data, essentially meaning NGINX fails to properly validate that all data in a response actually comes from the legitimate upstream server. The vulnerability carries a CVSS v3.1 score of 5.9 (medium severity) but jumps to 8.2 under the newer CVSS v4.0 scoring system, which F5 now uses for more precise risk assessment.
What makes this particularly concerning is NGINX's massive deployment footprint. The software powers over 400 million websites globally and serves as the backbone for countless enterprise applications, Kubernetes ingress controllers, and cloud-native architectures. Affected configurations include NGINX proxying to TLS-enabled HTTP (HTTP 1.x and HTTP/2), gRPC, and uWSGI backends.
F5's internal security team discovered the issue, and patches are now available. NGINX Open Source users should upgrade to version 1.29.5 or 1.28.2, while NGINX Plus customers need to apply patch releases R36 P2, R35 P1, or R32 P4, depending on their deployment branch. The security update also extends to NGINX Ingress Controller and NGINX Gateway Fabric installations, which inherit the vulnerability from their underlying NGINX components.
Organisations running affected versions should prioritise this update, particularly for internet-facing reverse proxies and API gateways where attackers might more easily position themselves for man-in-the-middle attacks. F5 reports no evidence of active exploitation in the wild, but the public disclosure means proof-of-concept code could emerge quickly.
The February 2026 security notification from F5 also addressed four other issues across its product portfolio, including a separate denial-of-service vulnerability in BIG-IP Advanced WAF. However, CVE-2026-1642 represents the broadest impact given NGINX's ubiquity in modern application delivery infrastructure.
For detailed patch information and affected version lists, administrators should consult F5's official security advisory or review the NGINX security advisories page.