Heap Buffer Over-read in NGINX Plus MQTT Filter Module
CVE-2026-60065

6.3MEDIUM

Key Information:

Vendor

F5

Vendor
CVE Published:
15 July 2026

What is CVE-2026-60065?

An issue in NGINX Plus occurs when utilizing the Message Queuing Telemetry Transport (MQTT) filter module, allowing unauthenticated remote attackers to send specially crafted requests. This can lead to a heap buffer over-read in the NGINX worker process, resulting in the process restarting unexpectedly. Importantly, this does not expose the control plane, making it a data plane issue that could disrupt service availability.

Affected Version(s)

NGINX Plus 37.0.0.1 < 37.0.3.1

NGINX Plus R36

NGINX Plus R33

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
.