Improper Header Handling in NGINX Plus and NGINX Open Source SMTP Module
CVE-2026-28753

6.3MEDIUM

Key Information:

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-28753?

NGINX Plus and NGINX Open Source are affected by a vulnerability in the ngx_mail_smtp_module. The issue arises from inadequate handling of Carriage Return Line Feed (CRLF) sequences in DNS responses. This flaw allows an attacker to control a DNS server and inject arbitrary headers into SMTP upstream requests, potentially leading to harmful request manipulation. It is important to note that versions of the software that have reached End of Technical Support (EoTS) are not included in the evaluation.

Affected Version(s)

NGINX Open Source 1.29.0 < 1.29.7

NGINX Open Source 0.6.27 < 1.28.3

NGINX Plus R36

References

https://my.f5.com/manage/s/article/K000160367

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Asim Viladi Oglu Manizada

Colin Warren

Xiao Liu (Yunnan University)

Yuan Tan (UC Riverside)

Bird Liu (Lanzhou University)

CVE-2026-28753 Data

JSON

F5

What is CVE-2026-28753?

Affected Version(s)

References

CVSS V4

Timeline

Credit