NGINX ngx_mail_auth_http_module vulnerability
Summary
| CVE | CVE-2026-27651 |
|---|---|
| State | PUBLISHED |
| Assigner | f5 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-24 15:16:32 UTC |
| Updated | 2026-06-30 03:17:56 UTC |
| Description | When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-476 | CWE-476 CWE-476 NULL Pointer Dereference | CWE-476 NULL Pointer Dereference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | F5 | Nginx Open Source | All | All | All | All |
| Application | F5 | Nginx Open Source | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | F5 | NGINX Open Source | affected 1.29.0 1.29.7 semver | Not specified |
| CNA | F5 | NGINX Open Source | affected 0.5.15 1.28.3 semver | Not specified |
| CNA | F5 | NGINX Plus | affected R36 R36 P3 custom | Not specified |
| CNA | F5 | NGINX Plus | affected R35 R35 P2 custom | Not specified |
| CNA | F5 | NGINX Plus | affected R34 * custom | Not specified |
| CNA | F5 | NGINX Plus | affected R33 * custom | Not specified |
| CNA | F5 | NGINX Plus | affected R32 R32 P5 custom | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream E4S V.9.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream E4S V.9.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V.9.4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat CodeReady Linux Builder EUS V.9.4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat CodeReady Linux Builder EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder V. 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:15945 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6906 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-27651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15966 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8346 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7002 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6923 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15942 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| my.f5.com/manage/s/article/K000160383 | [email protected] | my.f5.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:13680 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27651.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10065 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13634 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15943 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14836 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13839 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6907 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7343 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: F5 acknowledges Arkadi Vainbrand for bringing this issue to our attention and following the highest standards of coordinated disclosure. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-24T15:02:32.414Z | Reported to Red Hat. |
| ADP | 2026-03-24T14:13:27.295Z | Made public. |
Solutions
ADP: RHSA-2026:13634: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:6906: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:6907: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:15942: Red Hat Enterprise Linux AppStream E4S (v.9.0)
ADP: RHSA-2026:14836: Red Hat Enterprise Linux AppStream E4S (v.9.2)
ADP: RHSA-2026:13839: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)
ADP: RHSA-2026:15943: Red Hat Enterprise Linux AppStream EUS (v.9.4)
ADP: RHSA-2026:15945: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:13680: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:15966: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:6923: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7002: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7343: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:8346: Red Hat Hardened Images
ADP: RHSA-2026:10065: Red Hat Update Infrastructure 5
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.