Source IP Spoofing Vulnerability in NGINX Plus and NGINX Open Source
CVE-2026-40460

6.9MEDIUM

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-40460?

A vulnerability has been identified in NGINX Plus and NGINX Open Source when the HTTP/3 QUIC module is enabled. An attacker could exploit this configuration to spoof their source IP address, potentially leading to a bypass of authorization mechanisms or the evasion of implemented rate limiting controls. This risk highlights the importance of maintaining proper security configurations and vigilance when utilizing advanced features like HTTP/3.

Affected Version(s)

NGINX Open Source 1.26.0 < 1.30.1

NGINX Plus R36

NGINX Plus R32

References

https://my.f5.com/manage/s/article/K000161068

vendor-advisorypatch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-40460 Data

JSON