CVE-2026-50107— F5 nginx gateway fabric 输入验证错误漏洞

NGINX Gateway Fabric vulnerability

When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

输出中的特殊元素转义处理不恰当(注入)

F5 nginx gateway fabric 输入验证错误漏洞

F5 nginx gateway fabric是美国F5公司的一款API网关管理解决方案。 F5 nginx gateway fabric 2.3.0版本至2.6.4之前版本存在安全漏洞，该漏洞源于NGINX配置生成器组件中用户提供的NginxProxy自定义资源定义（CRD）访问日志格式设置字符串值未经清理或转义直接渲染到NGINX配置模板，可能导致经过身份验证且具有创建或修改这些CRD权限的攻击者注入任意NGINX配置指令。

N/A

N/A