Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Nginx: Shared IP Port Allows Bypass of Client Certificate Checks
CLEANSTART-2026-ZN32454
Summary
If multiple Nginx servers share the same IP and port, an attacker can bypass security checks that require client certificates. This could allow unauthorized access to sensitive information. Update your Nginx configuration to ensure each server has a unique IP and port, or apply the recommended patches to prevent this issue.
What to do
- Update nginx to version 1.26.3-r0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nginx | <= 1.26.3-r0 | 1.26.3-r0 |
Original title
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers
Original description
Multiple security vulnerabilities affect the nginx package. When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. See references for individual vulnerability details.
osv CVSS3.1
9.8
- https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advis... Vendor Advisory
- https://osv.dev/vulnerability/CVE-2017-7529 URL
- https://osv.dev/vulnerability/CVE-2018-16845 URL
- https://osv.dev/vulnerability/CVE-2019-20372 URL
- https://osv.dev/vulnerability/CVE-2019-9511 URL
- https://osv.dev/vulnerability/CVE-2019-9513 URL
- https://osv.dev/vulnerability/CVE-2019-9516 URL
- https://osv.dev/vulnerability/CVE-2021-23017 URL
- https://osv.dev/vulnerability/CVE-2021-46461 URL
- https://osv.dev/vulnerability/CVE-2021-46462 URL
- https://osv.dev/vulnerability/CVE-2021-46463 URL
- https://osv.dev/vulnerability/CVE-2022-25139 URL
- https://osv.dev/vulnerability/CVE-2022-3638 URL
- https://osv.dev/vulnerability/CVE-2022-41741 URL
- https://osv.dev/vulnerability/CVE-2022-41742 URL
- https://osv.dev/vulnerability/CVE-2023-44487 URL
- https://osv.dev/vulnerability/CVE-2024-31079 URL
- https://osv.dev/vulnerability/CVE-2024-32760 URL
- https://osv.dev/vulnerability/CVE-2024-34161 URL
- https://osv.dev/vulnerability/CVE-2024-35200 URL
- https://osv.dev/vulnerability/CVE-2024-7347 URL
- https://osv.dev/vulnerability/CVE-2025-23419 URL
- https://nvd.nist.gov/vuln/detail/CVE-2017-7529 URL
- https://nvd.nist.gov/vuln/detail/CVE-2018-16845 URL
- https://nvd.nist.gov/vuln/detail/CVE-2019-20372 URL
- https://nvd.nist.gov/vuln/detail/CVE-2019-9511 URL
- https://nvd.nist.gov/vuln/detail/CVE-2019-9513 URL
- https://nvd.nist.gov/vuln/detail/CVE-2019-9516 URL
- https://nvd.nist.gov/vuln/detail/CVE-2021-23017 URL
- https://nvd.nist.gov/vuln/detail/CVE-2021-46461 URL
- https://nvd.nist.gov/vuln/detail/CVE-2021-46462 URL
- https://nvd.nist.gov/vuln/detail/CVE-2021-46463 URL
- https://nvd.nist.gov/vuln/detail/CVE-2022-25139 URL
- https://nvd.nist.gov/vuln/detail/CVE-2022-3638 URL
- https://nvd.nist.gov/vuln/detail/CVE-2022-41741 URL
- https://nvd.nist.gov/vuln/detail/CVE-2022-41742 URL
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-31079 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-32760 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-34161 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-35200 URL
- https://nvd.nist.gov/vuln/detail/CVE-2024-7347 URL
- https://nvd.nist.gov/vuln/detail/CVE-2025-23419 URL
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026