Platform
nginx
Component
nginx
Fixed in
1.29.7
1.28.3
R36 P3
R35 P2
*
*
R32 P5
0.9.8
1.28.4
35.0.1
CVE-2026-27651 describes a vulnerability in Nginx Plus and Nginx Open Source versions 0.5.15–r35. When the ngxmailauthhttpmodule is enabled and CRAM-MD5 or APOP authentication is active, a malicious actor can trigger worker processes to terminate by exploiting the Auth-Wait response header. This vulnerability is rated as HIGH severity (CVSS 7.5) and is addressed in version R36 P3.
The primary impact of CVE-2026-27651 is the potential for denial-of-service (DoS). An attacker can repeatedly send crafted authentication requests that trigger worker processes to terminate, effectively disrupting the Nginx server's ability to handle legitimate requests. This can lead to service unavailability and impact users relying on the Nginx server for web serving, reverse proxying, or mail handling. The vulnerability's reliance on the Auth-Wait header suggests an attack pattern where an attacker controls the authentication server and can manipulate the response to induce process termination. The blast radius is limited to the affected Nginx instances, but widespread exploitation could impact multiple services depending on Nginx.
CVE-2026-27651 was publicly disclosed on 2026-03-24. There is no current indication of active exploitation or KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit given control over the authentication server. The EPSS score is currently unknown.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-27651 is to upgrade to Nginx version R36 P3 or later, which includes the fix. If immediate upgrading is not possible, consider the following workarounds. First, disable the Auth-Wait response header on the authentication server. Second, if CRAM-MD5 or APOP authentication is not essential, disable these authentication methods entirely. Monitor Nginx worker process health and resource utilization for unusual spikes or terminations. Implement rate limiting on authentication requests to prevent rapid triggering of the vulnerability. After upgrading, confirm the fix by attempting to trigger the authentication flow with a crafted request and verifying that worker processes do not terminate.
Update NGINX Open Source to version 1.29.7 or later, or to the corresponding version of NGINX Plus that includes the fix. Disabling CRAM-MD5 or APOP authentication also mitigates the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27651 is a HIGH severity vulnerability affecting Nginx Plus and Open Source versions 0.5.15–r35. It allows attackers to terminate worker processes by exploiting the Auth-Wait response header during CRAM-MD5 or APOP authentication.
You are affected if you are running Nginx Plus or Open Source version 0.5.15–r35 and have the ngxmailauthhttpmodule enabled with CRAM-MD5 or APOP authentication.
Upgrade to Nginx version R36 P3 or later. As a temporary workaround, disable the Auth-Wait response header or disable CRAM-MD5/APOP authentication.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Please refer to the official Nginx security advisory for CVE-2026-27651 on the Nginx website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.