Heap Buffer Over-read in NGINX Plus MQTT Filter Module
CVE-2026-60065
6.3MEDIUM
What is CVE-2026-60065?
An issue in NGINX Plus occurs when utilizing the Message Queuing Telemetry Transport (MQTT) filter module, allowing unauthenticated remote attackers to send specially crafted requests. This can lead to a heap buffer over-read in the NGINX worker process, resulting in the process restarting unexpectedly. Importantly, this does not expose the control plane, making it a data plane issue that could disrupt service availability.
Affected Version(s)
NGINX Plus 37.0.0.1 < 37.0.3.1
NGINX Plus R36
NGINX Plus R33