How is CVE-2026-32682 exploited?

Network reachability (required): The attacker must reach the Kubernetes API server over the network to submit the malicious GRPCRoute resource. Authentication (required): A low-privilege Kubernetes account with RBAC permission to create or modify GRPCRoute resources is sufficient; no admin credentials are needed. Victim interaction (not-required): No human interaction is required; the control plane processes the malicious configuration automatically upon submission. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger the crash.

What is the impact of CVE-2026-32682?

Crashes the NGINX Gateway Fabric control plane process, halting its ability to program NGINX data-plane instances. All traffic routing rules managed by the gateway stop being updated or enforced, disrupting ingress and east-west service traffic for dependent workloads. The outage persists until the control plane is restarted and may recur if the attacker retains GRPCRoute write access.

Back to search

HIGHCVE-2026-32682Published 2026-06-17Modified 2026-06-17CNA f5

CVE-2026-32682: NGINX Gateway Fabric vulnerability

When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 2.6.4
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authenticated denial-of-service vulnerability in NGINX Gateway Fabric affecting versions 1.3.0 through 2.6.3. A remote attacker who holds a Kubernetes RBAC role permitting creation or modification of GRPCRoute resources can crash the Gateway Fabric control plane by submitting a crafted GRPCRoute configuration that includes backendRef filters. Successful exploitation shuts down the control plane, disrupting traffic routing for workloads managed by the gateway. A patched-image rebuild at version 2.6.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-32682 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle NGINX Gateway Fabric. Coverage spans both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 HIGH and weighting that score against each environment's compliance policy to determine urgency. Triage results can be routed automatically to the team or inbox responsible for gateway infrastructure within each customer organization.

Available

Patch

A patched-image rebuild pinned to NGINX Gateway Fabric 2.6.4 is available on HarborGuard for any environment running an affected version (1.3.0 through 2.6.3). For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Kubernetes API server over the network to submit the malicious GRPCRoute resource.
AuthenticationRequired
A low-privilege Kubernetes account with RBAC permission to create or modify GRPCRoute resources is sufficient; no admin credentials are needed.
Victim interactionNot required
No human interaction is required; the control plane processes the malicious configuration automatically upon submission.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to trigger the crash.

Blast Radius

Crashes the NGINX Gateway Fabric control plane process, halting its ability to program NGINX data-plane instances.
All traffic routing rules managed by the gateway stop being updated or enforced, disrupting ingress and east-west service traffic for dependent workloads.
The outage persists until the control plane is restarted and may recur if the attacker retains GRPCRoute write access.

How HarborGuard Handles This

Available on HarborGuard: images containing NGINX Gateway Fabric versions 1.3.0 through 2.6.3 are matched against this CVE automatically within minutes of publication. For environments where the affected image is detected, a rebuild at version 2.6.4 is available. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Because this vulnerability requires only a low-privilege Kubernetes account, teams that cannot immediately upgrade should review RBAC policies to restrict GRPCRoute create and update permissions to the minimum necessary set of service accounts while the patch is applied.

See how HarborGuard automates this

Fix available

2.6.4

Affected packages

F5 / NGINX Gateway Fabric
< 2.6.4 (from 1.3.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

my.f5.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available