{"id":"CVE-2026-1642","details":"A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","aliases":["BIT-nginx-2026-1642","BIT-nginx-gateway-2026-1642"],"modified":"2026-03-27T09:14:12.861692881Z","published":"2026-02-04T15:16:14.190Z","related":["ALSA-2026:3638","ALSA-2026:4235","ALSA-2026:4705","ALSA-2026:5581","ALSA-2026:5599","MGASA-2026-0033","openSUSE-SU-2026:10158-1"],"references":[{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000159824"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/02/05/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"479e06d88b14ea2b4512545825ccce48ca7ec028"},{"fixed":"073ed33202286a975964c3a08f522bf01dc6fecf"},{"introduced":"235f409907fd60eb2d8f6ecdc0e5cb163dd6d45f"},{"fixed":"1f57d8dc9d386b46ba7e156e25345b70843e7f55"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"fixed":"1.28.2"},{"introduced":"1.29.0"},{"fixed":"1.29.5"}]}},{"type":"GIT","repo":"https://github.com/nginxinc/kubernetes-ingress","events":[{"introduced":"43e537d210c4a3ea6164523a1bed645abb59a435"},{"last_affected":"d263386c93c3f19604f68bd24041e4390f7c2bbe"},{"introduced":"98d94b0bf6918774007b3abcb0f318fa347cdcb2"},{"fixed":"413c0bb5761b1796d2e8490f4bb34881e144ab8d"},{"introduced":"0811b5c898f25d578f72a629fedef506a6511730"},{"last_affected":"561824f3077b7615c2fa764bd6d8e7a47e184857"},{"introduced":"81bae7d0360fdf277b2d3e355d02e410ee211ef8"},{"last_affected":"43349033e28d0b6aa38773ff840deba079654a4f"},{"introduced":"8dfabca757830d0821e86206c2db83044e6696f0"},{"fixed":"a93bb1d70431faf564819218fe65b2d79962eb6c"}],"database_specific":{"versions":[{"introduced":"1.2.0"},{"last_affected":"1.6.2"},{"introduced":"2.0.0"},{"fixed":"2.4.1"},{"introduced":"3.4.0"},{"last_affected":"3.7.2"},{"introduced":"4.0.0"},{"last_affected":"4.0.1"},{"introduced":"5.0.0"},{"fixed":"5.3.3"}]}}],"versions":["release-1.11.0","release-1.11.1","release-1.11.10","release-1.11.11","release-1.11.12","release-1.11.13","release-1.11.2","release-1.11.3","release-1.11.4","release-1.11.5","release-1.11.6","release-1.11.7","release-1.11.8","release-1.11.9","release-1.13.0","release-1.13.1","release-1.13.10","release-1.13.11","release-1.13.12","release-1.13.2","release-1.13.3","release-1.13.4","release-1.13.5","release-1.13.6","release-1.13.7","release-1.13.8","release-1.13.9","release-1.15.0","release-1.15.1","release-1.15.10","release-1.15.11","release-1.15.12","release-1.15.2","release-1.15.3","release-1.15.4","release-1.15.5","release-1.15.6","release-1.15.7","release-1.15.8","release-1.15.9","release-1.17.0","release-1.17.1","release-1.17.10","release-1.17.2","release-1.17.3","release-1.17.4","release-1.17.5","release-1.17.6","release-1.17.7","release-1.17.8","release-1.17.9","release-1.19.0","release-1.19.1","release-1.19.10","release-1.19.2","release-1.19.3","release-1.19.4","release-1.19.5","release-1.19.6","release-1.19.7","release-1.19.8","release-1.19.9","release-1.21.0","release-1.21.1","release-1.21.2","release-1.21.3","release-1.21.4","release-1.21.5","release-1.21.6","release-1.23.0","release-1.23.1","release-1.23.2","release-1.23.3","release-1.23.4","release-1.25.0","release-1.25.1","release-1.25.2","release-1.25.3","release-1.25.4","release-1.25.5","release-1.27.0","release-1.27.1","release-1.27.2","release-1.27.3","release-1.27.4","release-1.27.5","release-1.28.0","release-1.28.1","release-1.29.0","release-1.29.1","release-1.29.2","release-1.29.3","release-1.29.4","release-1.3.0","release-1.3.1","release-1.3.10","release-1.3.11","release-1.3.12","release-1.3.13","release-1.3.14","release-1.3.15","release-1.3.16","release-1.3.2","release-1.3.3","release-1.3.4","release-1.3.5","release-1.3.6","release-1.3.7","release-1.3.8","release-1.3.9","release-1.4.0","release-1.5.0","release-1.5.1","release-1.5.10","release-1.5.11","release-1.5.12","release-1.5.13","release-1.5.2","release-1.5.3","release-1.5.4","release-1.5.5","release-1.5.6","release-1.5.7","release-1.5.8","release-1.5.9","release-1.7.0","release-1.7.1","release-1.7.10","release-1.7.11","release-1.7.12","release-1.7.2","release-1.7.3","release-1.7.4","release-1.7.5","release-1.7.6","release-1.7.7","release-1.7.8","release-1.7.9","release-1.9.0","release-1.9.1","release-1.9.10","release-1.9.11","release-1.9.12","release-1.9.13","release-1.9.14","release-1.9.15","release-1.9.2","release-1.9.3","release-1.9.4","release-1.9.5","release-1.9.6","release-1.9.7","release-1.9.8","release-1.9.9","v1.11.0","v1.11.1","v1.12.0","v1.2.0","v1.3.0","v1.6.0","v1.6.1","v1.6.2","v1.9.0-nsmready","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.1.2","v2.2.0","v2.2.1","v2.2.2","v2.3.0","v2.3.1","v2.4.0","v3.0.0","v3.1.0","v3.2.0","v3.3.0","v3.7.0","v3.7.1","v3.7.2","v4.0.0","v4.0.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"2.15.1"},{"last_affected":"2.21.0"}]},{"events":[{"introduced":"r33"},{"fixed":"r35"}]},{"events":[{"introduced":"0"},{"last_affected":"r32-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"r32-p1"}]},{"events":[{"introduced":"0"},{"last_affected":"r32-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"r32-p3"}]},{"events":[{"introduced":"0"},{"last_affected":"r33-p1"}]},{"events":[{"introduced":"0"},{"last_affected":"r33-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"r33-p3"}]},{"events":[{"introduced":"0"},{"last_affected":"r34-p1"}]},{"events":[{"introduced":"0"},{"last_affected":"r34-p2"}]},{"events":[{"introduced":"0"},{"last_affected":"r35-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"r36-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"r36-p1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-1642.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}