CVE-2026-27651

High

Published: 24 March 2026

Published

24 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0004 13.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27651 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in F5 Nginx Plus. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the NULL pointer dereference flaw in the ngx_mail_auth_http_module by applying vendor patches or upgrades to supported NGINX versions.

CM-7 Least Functionality good match

prevent

Prevents exploitation by disabling the unnecessary ngx_mail_auth_http_module, CRAM-MD5/APOP authentication, or Auth-Wait retry capability when not required.

SC-5 Denial-of-service Protection partial match

prevent

Mitigates denial-of-service impact from repeated worker process terminations by implementing rate limiting or other DoS protections on NGINX mail proxy endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

NULL pointer dereference in public-facing NGINX mail proxy enables remote unauthenticated crashes of worker processes (T1499.004 Application or System Exploitation); exploitation occurs against an Internet-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry…

by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Deeper analysisAI

CVE-2026-27651 affects the ngx_mail_auth_http_module in NGINX Plus and NGINX Open Source. When this module is enabled alongside CRAM-MD5 or APOP authentication, and the authentication server permits retries via the Auth-Wait response header, undisclosed requests can cause worker processes to terminate. Classified as CWE-476 (NULL Pointer Dereference), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity. Versions that have reached End of Technical Support are not evaluated.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending the undisclosed requests to a vulnerable NGINX mail proxy configuration, they can repeatedly terminate worker processes, resulting in denial of service through resource exhaustion or service disruption.

The F5 advisory (K000160383) provides further details on this issue, available at https://my.f5.com/manage/s/article/K000160383.

Details

CWE(s): CWE-476

Affected Products

nginx open source

0.5.15 — 0.9.7 · 1.0.0 — 1.28.3 · 1.29.0 — 1.29.7

nginx plus

r32, r35, r36 · r33 — r35

CVEs Like This One

CVE-2026-27654Same product: F5 Nginx Open Source

CVE-2025-20045Same vendor: F5

CVE-2026-32647Same product: F5 Nginx Open Source

CVE-2026-27784Same product: F5 Nginx Open Source

CVE-2025-21091Same vendor: F5

CVE-2025-24312Same vendor: F5

CVE-2025-20058Same vendor: F5

CVE-2026-29785Shared CWE-476

CVE-2025-14727Same vendor: F5

CVE-2026-33283Shared CWE-476

References

https://my.f5.com/manage/s/article/K000160383
Vendor Advisory · f5sirt@f5.com