Cyber Resilience

CVE-2026-27651

HighUpdated

Published: 24 March 2026

Published
24 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27651 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in F5 Nginx Plus. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27651 affects the ngx_mail_auth_http_module in NGINX Plus and NGINX Open Source. When this module is enabled alongside CRAM-MD5 or APOP authentication, and the authentication server permits retries via the Auth-Wait response header, undisclosed requests can cause worker processes to terminate. Classified as CWE-476 (NULL Pointer Dereference), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity. Versions that have reached End of Technical Support are not evaluated.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending the undisclosed requests to a vulnerable NGINX mail proxy configuration, they can repeatedly terminate worker processes, resulting in denial of service through resource exhaustion or service disruption.

The F5 advisory (K000160383) provides further details on this issue, available at https://my.f5.com/manage/s/article/K000160383.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry…

more

by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in public-facing NGINX mail proxy enables remote unauthenticated crashes of worker processes (T1499.004 Application or System Exploitation); exploitation occurs against an Internet-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27654Same product: F5 Nginx Open Source
CVE-2026-9256Same product: F5 Nginx Open Source
CVE-2025-20045Same vendor: F5
CVE-2026-42409Same vendor: F5
CVE-2026-32647Same product: F5 Nginx Open Source
CVE-2026-27784Same product: F5 Nginx Open Source
CVE-2026-42945Same product: F5 Nginx Open Source
CVE-2026-41956Same vendor: F5
CVE-2025-24312Same vendor: F5
CVE-2025-21091Same vendor: F5

Affected Assets

f5
nginx open source
0.5.15 — 0.9.7 · 1.0.0 — 1.28.3 · 1.29.0 — 1.29.7
f5
nginx plus
r32, r35, r36 · r33 — r35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the NULL pointer dereference flaw in the ngx_mail_auth_http_module by applying vendor patches or upgrades to supported NGINX versions.

prevent

Prevents exploitation by disabling the unnecessary ngx_mail_auth_http_module, CRAM-MD5/APOP authentication, or Auth-Wait retry capability when not required.

prevent

Mitigates denial-of-service impact from repeated worker process terminations by implementing rate limiting or other DoS protections on NGINX mail proxy endpoints.

References