{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42926","assignerOrgId":"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab","state":"PUBLISHED","assignerShortName":"f5","dateReserved":"2026-05-05T21:19:09.531Z","datePublished":"2026-05-13T14:12:45.695Z","dateUpdated":"2026-05-13T16:16:54.456Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab","shortName":"f5","dateUpdated":"2026-05-13T16:16:54.456Z"},"title":"NGINX ngx_http_proxy_v2_module vulnerability","datePublic":"2026-05-13T14:00:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-172","description":"CWE-172 Encoding Error","type":"CWE"}]}],"affected":[{"vendor":"F5","product":"NGINX Open Source","modules":["ngx_http_proxy_v2_module"],"versions":[{"status":"unaffected","version":"1.31.0","lessThan":"*","versionType":"semver"},{"status":"affected","version":"1.29.4","lessThan":"1.30.1","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","supportingMedia":[{"type":"text/html","base64":false,"value":"<span style=\"background-color: rgb(255, 255, 255);\">When NGINX Open Source is configured to proxy HTTP/2 traffic by setting </span><strong>proxy_http_version</strong><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;to 2, and also uses </span><strong>proxy_set_body</strong><span style=\"background-color: rgb(255, 255, 255);\">, an attacker may be able to inject frame headers and payload bytes to the upstream peer.</span>&nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}],"references":[{"url":"https://my.f5.com/manage/s/article/K000161131","tags":["vendor-advisory","patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"}},{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","baseSeverity":"MEDIUM","baseScore":6.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"}}],"credits":[{"lang":"en","value":"F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and 章鱼哥 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure.","type":"reporter"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"F5 SIRTBot v1.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-13T15:54:52.773305Z","id":"CVE-2026-42926","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-13T16:06:30.263Z"}}]}}