{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-42055/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-17T15:43:16.661Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-42055","@id":"https://www.cve.org/CVERecord?id=CVE-2026-42055","description":"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream "},"products":[{"@id":"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 1.30.3, 1.31.2, 37.0.2.1, R36 P6.","timestamp":"2026-06-17T15:43:16.661Z"}]}