Injection Vulnerability in NGINX Gateway Fabric Affecting NGINX Plus and Open Source
CVE-2026-50107

8.6HIGH

Key Information:

Vendor: F5
Status: Nginx Gateway Fabric
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-50107?

An injection vulnerability has been identified in the NGINX Gateway Fabric when utilized as a data plane for NGINX Plus and NGINX Open Source. This issue arises in the NGINX configuration generator component, where user-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format are directly rendered into NGINX configuration templates without appropriate sanitization or escaping. An attacker with authenticated access, capable of creating or modifying these CRDs, may exploit this flaw to inject arbitrary NGINX configuration directives, potentially compromising the integrity of the control plane. There is no exposure through the data plane from the triggering event of the vulnerability.

Affected Version(s)

NGINX Gateway Fabric 2.3.0 < 2.6.4

References

https://my.f5.com/manage/s/article/K000161785

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

CVE-2026-50107 Data

JSON

F5

What is CVE-2026-50107?

Affected Version(s)

References

CVSS V4

Timeline

Credit