HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50107Published Modified CNA f5

CVE-2026-50107: NGINX Gateway Fabric vulnerability

When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
2.6.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a configuration injection vulnerability in NGINX Gateway Fabric, affecting versions 2.3.0 through 2.6.3. An authenticated attacker who has permission to create or modify NginxProxy Custom Resource Definitions can inject arbitrary NGINX configuration directives by supplying unsanitized values into the access log format setting of the configuration generator. Successful exploitation gives the attacker the ability to read sensitive data and tamper with configuration-driven behavior on the control plane. A patched-image rebuild at version 2.6.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50107 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images derived from NGINX Gateway Fabric base layers. Any image whose bill of materials resolves to an affected version between 2.3.0 and 2.6.3 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and surfaces it with per-environment compliance policy weighting to determine routing priority. Findings are routed to the team or inbox designated by each customer organization's policy configuration, so the right engineers see it without manual triage steps.

Available
Patch

A patched-image rebuild at NGINX Gateway Fabric 2.6.4 becomes available through HarborGuard once the upstream fix is matched to affected images in a customer registry or pipeline. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Kubernetes API server or the cluster control plane over the network to submit or modify NginxProxy CRD resources.

  • AuthenticationRequired

    The attacker must hold a low-privilege account with Kubernetes RBAC permissions to create or modify NginxProxy CRD objects; anonymous access is not sufficient.

  • Victim interactionNot required

    No victim interaction is needed; the injected configuration is rendered the next time the NGINX Gateway Fabric configuration generator processes the CRD.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or special environmental layout are required to inject directives into the generated NGINX configuration.

Blast Radius

  • Reads sensitive values accessible through injected NGINX directives, such as upstream connection details or internal header content captured in access logs.
  • Modifies the effective NGINX configuration by inserting arbitrary directives, altering routing rules, timeouts, or access controls beyond what the legitimate CRD schema permits.
  • Expands the attack surface for follow-on exploitation by staging malicious NGINX directives that affect how requests are proxied or logged across all virtual servers managed by the Gateway Fabric instance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-50107 activates immediately upon ingestion of the advisory, matching any image resolving to NGINX Gateway Fabric 2.3.0 through 2.6.3. For customers who opt into auto-remediation, HarborGuard makes a rebuilt image at version 2.6.4 available, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For customers who manage patching manually, HarborGuard surfaces the finding with full CVSS v4.0 context and routes it according to each organization's compliance policy. Where a rollout to 2.6.4 cannot happen immediately, consider restricting Kubernetes RBAC to limit which principals can create or modify NginxProxy CRD objects, and apply network policies that reduce exposure of the cluster API server to untrusted internal principals.

See how HarborGuard automates this

Fix available

2.6.4
Affected packages
  • F5 / NGINX Gateway Fabric
    < 2.6.4 (from 2.3.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References