プラットフォーム
nginx
コンポーネント
nginx
修正版
1.29.7
1.28.3
R36 P3
R35 P2
*
*
R32 P5
0.9.8
1.28.4
35.0.1
CVE-2026-27651 describes a vulnerability in Nginx Plus and Nginx Open Source versions 0.5.15–r35. When the ngxmailauthhttpmodule is enabled and CRAM-MD5 or APOP authentication is active, a malicious actor can trigger worker processes to terminate by exploiting the Auth-Wait response header. This vulnerability is rated as HIGH severity (CVSS 7.5) and is addressed in version R36 P3.
The primary impact of CVE-2026-27651 is the potential for denial-of-service (DoS). An attacker can repeatedly send crafted authentication requests that trigger worker processes to terminate, effectively disrupting the Nginx server's ability to handle legitimate requests. This can lead to service unavailability and impact users relying on the Nginx server for web serving, reverse proxying, or mail handling. The vulnerability's reliance on the Auth-Wait header suggests an attack pattern where an attacker controls the authentication server and can manipulate the response to induce process termination. The blast radius is limited to the affected Nginx instances, but widespread exploitation could impact multiple services depending on Nginx.
CVE-2026-27651 was publicly disclosed on 2026-03-24. There is no current indication of active exploitation or KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit given control over the authentication server. The EPSS score is currently unknown.
Organizations running Nginx Plus or Nginx Open Source version 0.5.15–r35, particularly those utilizing the ngxmailauthhttpmodule with CRAM-MD5 or APOP authentication, are at risk. Shared hosting environments where multiple users share the same Nginx instance are also potentially vulnerable, as a compromised user could trigger the vulnerability affecting other users.
• nginx / server:
# Check Nginx version
nginx -v
# Monitor worker process health (look for unexpected terminations)
sysctl -n kernel.threads_created• generic web:
# Check for Auth-Wait header in authentication responses (requires traffic analysis tools)
curl -I <authentication_endpoint>disclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2026-27651 is to upgrade to Nginx version R36 P3 or later, which includes the fix. If immediate upgrading is not possible, consider the following workarounds. First, disable the Auth-Wait response header on the authentication server. Second, if CRAM-MD5 or APOP authentication is not essential, disable these authentication methods entirely. Monitor Nginx worker process health and resource utilization for unusual spikes or terminations. Implement rate limiting on authentication requests to prevent rapid triggering of the vulnerability. After upgrading, confirm the fix by attempting to trigger the authentication flow with a crafted request and verifying that worker processes do not terminate.
Actualice NGINX Open Source a la versión 1.29.7 o superior, o a la versión correspondiente de NGINX Plus que incluya la corrección. Deshabilitar la autenticación CRAM-MD5 o APOP también mitiga la vulnerabilidad.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-27651 is a HIGH severity vulnerability affecting Nginx Plus and Open Source versions 0.5.15–r35. It allows attackers to terminate worker processes by exploiting the Auth-Wait response header during CRAM-MD5 or APOP authentication.
You are affected if you are running Nginx Plus or Open Source version 0.5.15–r35 and have the ngxmailauthhttpmodule enabled with CRAM-MD5 or APOP authentication.
Upgrade to Nginx version R36 P3 or later. As a temporary workaround, disable the Auth-Wait response header or disable CRAM-MD5/APOP authentication.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Please refer to the official Nginx security advisory for CVE-2026-27651 on the Nginx website.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。