NGINX ngx_mail_auth_http_module Denial-of-Service Vulnerability (CVE-2026-27651)
NGINX Plus and NGINX Open Source are vulnerable to a denial-of-service condition (CVE-2026-27651) when the ngx_mail_auth_http_module is enabled, CRAM-MD5 or APOP authentication is used, and the authentication server permits retry via the Auth-Wait response header, leading to worker process termination.
CVE-2026-27651 is a denial-of-service vulnerability affecting NGINX Plus and NGINX Open Source. The vulnerability occurs when the ngx_mail_auth_http_module module is enabled, and the server is configured to use CRAM-MD5 or APOP authentication. An attacker can exploit this by sending undisclosed requests that cause worker processes to terminate, leading to a denial-of-service condition. The vulnerability is triggered when the authentication server permits retry by returning the Auth-Wait…
Detection coverage 2
NGINX Worker Process Termination
mediumDetects sudden NGINX worker process terminations, which may indicate exploitation of CVE-2026-27651.
NGINX Auth-Wait Response Header Detection
lowDetects Auth-Wait headers in responses from authentication servers used by NGINX mail proxy, potentially indicating a vulnerable configuration.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
url