CVE-2026-42926

MEDIUM 5.8

NGINX ngx_http_proxy_v2_module vulnerability

CVSS Score

5.8

EPSS Score

0.0%

EPSS Percentile

0th

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE	CWE-172
Vendor	f5
Product	nginx open source
Published	May 13, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for f5 nginx open source

Be the first to know when new medium vulnerabilities affecting f5 nginx open source are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

F5 / NGINX Open Source

1.29.4 < 1.30.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

my.f5.com: https://my.f5.com/manage/s/article/K000161131

Credits

🔍 F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and 章鱼哥 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure.