Buffer Overflow Vulnerability in NGINX Open Source and NGINX Plus
CVE-2026-27654

8.8HIGH

Key Information:

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 24 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-27654?

A vulnerability exists within the ngx_http_dav_module of NGINX Open Source and NGINX Plus that can be exploited to trigger a buffer overflow in the NGINX worker process. This scenario is possible when configuration files utilize the DAV module's MOVE or COPY methods combined with specific prefix locations and alias directives. Although this vulnerability could lead to the termination of the NGINX worker process or unauthorized naming modifications of file sources or destinations outside the document root, its overall impact is mitigated due to the limited privileges of the NGINX worker process user.

Affected Version(s)

NGINX Open Source 1.29.0 < 1.29.7

NGINX Open Source 0.5.13 < 1.28.3

NGINX Plus R36

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-27654
Created by JohannesLks

References

https://my.f5.com/manage/s/article/K000160382

vendor-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 7, 2026
👾
Exploit known to exist
Apr 7, 2026
Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-27654 Data

JSON