Remote Code Execution Vulnerability in NGINX Gateway Fabric by F5 Networks
CVE-2026-32682

7.1HIGH

Key Information:

Vendor: F5
Status: Nginx Gateway Fabric
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-32682?

An authenticated remote attacker with permission to create or modify GRPCRoute resources in NGINX Gateway Fabric can exploit a configuration flaw. By sending malicious GRPCRoute configurations that contain backendRef filters, the attacker can cause the control plane of NGINX Gateway Fabric to terminate unexpectedly, leading to potential service disruptions and loss of functionality.

Affected Version(s)

NGINX Gateway Fabric 1.3.0 < 2.6.4

References

https://my.f5.com/manage/s/article/K000161786

vendor-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

CVE-2026-32682 Data

JSON