CVE-2026-11311: NGINX Gateway Fabric vulnerability
When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Metrics
- CVSS v4.0
- 8.6
- Severity
- HIGH
- Fixed in
- 2.6.4
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a configuration injection vulnerability in the NGINX configuration generator component of NGINX Gateway Fabric, affecting versions 2.5.0 through 2.6.3. An authenticated attacker with permission to create or modify NginxProxy or AuthenticationFilter Custom Resource Definitions can inject arbitrary NGINX configuration directives by supplying unsanitized values in the serverTokens or extraAuthArgs fields. Successful exploitation allows the attacker to read sensitive data and tamper with the NGINX configuration, potentially redirecting traffic or disabling access controls. A patched-image rebuild at version 2.6.4 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-11311 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle NGINX Gateway Fabric. Any image running an affected version (2.5.0 to below 2.6.4) is flagged automatically in the pipeline scan results.
AvailableHarborGuard scores this CVE at CVSS 8.6 HIGH and applies per-environment compliance policy weighting to determine urgency before routing the finding to the appropriate team inbox within each customer organization. Environments that classify Kubernetes control plane components as high-sensitivity assets will receive elevated routing priority.
AvailableA patched-image rebuild at NGINX Gateway Fabric 2.6.4 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Kubernetes API server or the NGINX Gateway Fabric control plane over the network to submit or modify Custom Resource Definitions.
- AuthenticationRequired
Any low-privilege Kubernetes account with RBAC permission to create or update NginxProxy or AuthenticationFilter Custom Resource Definitions is sufficient to trigger the injection.
- Victim interactionNot required
No victim interaction is needed; the attacker submits a malicious CRD value directly and the configuration generator processes it without any human approval step.
- Attack complexityDetail
The exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required to inject directives into the generated NGINX configuration.
Blast Radius
- Reads sensitive NGINX configuration internals, including upstream definitions, TLS settings, and any secrets rendered into the configuration at generation time.
- Modifies the effective NGINX configuration to redirect or proxy traffic to attacker-controlled destinations, bypassing intended routing rules.
- Disables or overwrites authentication directives injected by AuthenticationFilter resources, removing access controls from proxied services.
- The impact is confined to the NGINX Gateway Fabric control plane; the underlying data plane host and adjacent cluster workloads are not directly affected by the vulnerability trigger itself.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-11311 is active for all customer images containing NGINX Gateway Fabric 2.5.0 through 2.6.3. Where compliance policy permits, a rebuild at version 2.6.4 is queued automatically upon detection. For customers with auto-remediation enabled, the typical flow is a patched rebuild, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage their own remediation cadence will find the 2.6.4 rebuild available in their HarborGuard registry the moment the scan cycle completes. As a compensating control while remediation is in progress, tightening Kubernetes RBAC to restrict who can create or modify NginxProxy and AuthenticationFilter Custom Resource Definitions limits the pool of accounts that can trigger the injection, reducing exposure without requiring an immediate image update.
Fix available
- F5 / NGINX Gateway Fabric< 2.6.4 (from 2.5.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N