CVE-2026-27654

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000160382	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:f5:nginx_plus:r32:p1::::::
	cpe:2.3:a:f5:nginx_plus:r32:p2::::::
	cpe:2.3:a:f5:nginx_plus:r32:p3::::::
	cpe:2.3:a:f5:nginx_plus:r32:p4::::::
	cpe:2.3:a:f5:nginx_plus:r33:::::::*
	cpe:2.3:a:f5:nginx_plus:r33:p1::::::
	cpe:2.3:a:f5:nginx_plus:r33:p2::::::
	cpe:2.3:a:f5:nginx_plus:r33:p3::::::
	cpe:2.3:a:f5:nginx_plus:r34:::::::*
	cpe:2.3:a:f5:nginx_plus:r34:p1::::::
	cpe:2.3:a:f5:nginx_plus:r34:p2::::::
	cpe:2.3:a:f5:nginx_plus:r35:::::::*
	cpe:2.3:a:f5:nginx_plus:r35:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:::::::*
	cpe:2.3:a:f5:nginx_plus:r36:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:p2::::::

Configuration 2 (hide)

OR	cpe:2.3:a:f5:nginx_open_source::::::::
	cpe:2.3:a:f5:nginx_open_source::::::::
	cpe:2.3:a:f5:nginx_open_source::::::::

History

26 Mar 2026, 21:16

Type	Values Removed	Values Added
CPE		cpe:2.3:a:f5:nginx_plus:r32:p2:::::: cpe:2.3:a:f5:nginx_plus:r33:::::::* cpe:2.3:a:f5:nginx_plus:r36:p2:::::: cpe:2.3:a:f5:nginx_plus:r32:p3:::::: cpe:2.3:a:f5:nginx_plus:r36:::::::* cpe:2.3:a:f5:nginx_open_source:::::::: cpe:2.3:a:f5:nginx_plus:r35:::::::* cpe:2.3:a:f5:nginx_plus:r36:p1:::::: cpe:2.3:a:f5:nginx_plus:r32:p4:::::: cpe:2.3:a:f5:nginx_plus:r33:p3:::::: cpe:2.3:a:f5:nginx_plus:r34:p1:::::: cpe:2.3:a:f5:nginx_plus:r35:p1:::::: cpe:2.3:a:f5:nginx_plus:r34:::::::* cpe:2.3:a:f5:nginx_plus:r34:p2:::::: cpe:2.3:a:f5:nginx_plus:r33:p2:::::: cpe:2.3:a:f5:nginx_plus:r32:p1:::::: cpe:2.3:a:f5:nginx_plus:r33:p1::::::
Summary		(es) NGINX Open Source y NGINX Plus tienen una vulnerabilidad en el módulo ngx_http_dav_module que podría permitir a un atacante desencadenar un desbordamiento de búfer en el proceso de trabajador de NGINX; esta vulnerabilidad puede resultar en la terminación del proceso de trabajador de NGINX o la modificación de nombres de archivos de origen o destino fuera del directorio raíz de documentos. Este problema afecta a NGINX Open Source y NGINX Plus cuando el archivo de configuración utiliza los métodos MOVE o COPY del módulo DAV, ubicación de prefijo (configuración de ubicación sin expresión regular) y directivas alias. El impacto en la integridad está restringido porque el usuario del proceso de trabajador de NGINX tiene privilegios bajos y no tiene acceso a todo el sistema. Nota: Las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) no son evaluadas.
First Time		F5 nginx Open Source F5 nginx Plus F5
References	~~() https://my.f5.com/manage/s/article/K000160382 -~~	() https://my.f5.com/manage/s/article/K000160382 - Vendor Advisory

24 Mar 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 15:16

Updated : 2026-03-26 21:16

NVD link : CVE-2026-27654

Mitre link : CVE-2026-27654

CVE.ORG link : CVE-2026-27654

JSON object : View

Products Affected

nginx_plus
nginx_open_source

CWE

CWE-122

Heap-based Buffer Overflow

8.2 /10