Certificate Revocation Vulnerability in NGINX Plus and Open Source
CVE-2026-28755

5.3MEDIUM

Key Information:

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-28755?

NGINX Plus and NGINX Open Source are impacted by a vulnerability in the ngx_stream_ssl_module that arises from improper management of revoked certificates. When both ssl_verify_client and ssl_ocsp directives are enabled, the system may incorrectly allow a TLS handshake to proceed even if an OCSP check indicates that the certificate has been revoked. This flaw can lead to significant security risks by permitting potentially unauthorized access, thereby undermining the integrity of secure communications.

Affected Version(s)

NGINX Open Source 1.29.0 < 1.29.7

NGINX Open Source 1.27.2 < 1.28.3

NGINX Plus R36

References

https://my.f5.com/manage/s/article/K000160368

vendor-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Mufeed VH of Winfunc Research

CVE-2026-28755 Data

JSON

F5

What is CVE-2026-28755?

Affected Version(s)

References

CVSS V4

Timeline

Credit