Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
NGINX: Man-in-the-middle attackers can inject plain text into responses
OESA-2026-1572
Summary
NGINX users who proxy TLS traffic to other servers may be at risk of having sensitive data tampered with. This could lead to data integrity issues. To protect your systems, update to the latest version of NGINX.
What to do
- Update nginx to version 1.21.5-9.oe2003sp4.
- Update nginx to version 1.21.5-11.oe2203sp4.
- Update nginx to version 1.24.0-7.oe2403sp3.
- Update nginx to version 1.24.0-7.oe2403sp1.
- Update nginx to version 1.24.0-7.oe2403sp2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nginx | <= 1.21.5-9.oe2003sp4 | 1.21.5-9.oe2003sp4 |
| – | nginx | <= 1.21.5-11.oe2203sp4 | 1.21.5-11.oe2203sp4 |
| – | nginx | <= 1.24.0-7.oe2403sp3 | 1.24.0-7.oe2403sp3 |
| – | nginx | <= 1.24.0-7.oe2403sp1 | 1.24.0-7.oe2403sp1 |
| – | nginx | <= 1.24.0-7.oe2403sp2 | 1.24.0-7.oe2403sp2 |
| – | nginx | <= 1.24.0-7.oe2403sp3 | 1.24.0-7.oe2403sp3 |
Original title
nginx security update
Original description
NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.
Security Fix(es):
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. The vulnerability is classified as CWE-349: The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. This vulnerability primarily affects data integrity.(CVE-2026-1642)
Security Fix(es):
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server. The vulnerability is classified as CWE-349: The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. This vulnerability primarily affects data integrity.(CVE-2026-1642)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1642 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026