Skip to content
Threat Feed
high advisory PoC updated

CVE-2026-50107: NGINX Gateway Fabric Configuration Injection Vulnerability

An injection vulnerability, CVE-2026-50107, exists in the NGINX configuration generator component of NGINX Gateway Fabric when configured with NGINX Plus or NGINX Open Source as the data plane, allowing authenticated attackers with CRD modification permissions to inject arbitrary NGINX configuration directives via unsanitized user-supplied string values in the access log format setting, leading to control plane compromise and potential defense evasion or system impact.

What's new

  • l2 added CVE-2026-11311 +1 Jul 10, 11:52 via the-hacker-news
  • l2 poc_available; OS linux Jun 19, 20:08 via sploitus
  • l2 added CVE-2026-11311 +3 Jun 18, 09:43 via securityweek

A critical injection vulnerability, identified as CVE-2026-50107, affects NGINX Gateway Fabric when utilizing NGINX Plus or NGINX Open Source as its data plane. This flaw resides within the NGINX configuration generator component, where user-supplied string values provided in the access log format setting of NginxProxy Custom Resource Definitions (CRDs) are directly rendered into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker, possessing the necessary permissions to create or modify these CRDs, can exploit this vulnerability to craft malicious values, effectively injecting arbitrary NGINX configuration directives. This is fundamentally a control plane issue, meaning the direct trigger occurs at the management layer, enabling unauthorized changes to the NGINX data plane's behavior without direct data plane exposure during the exploitation itself.

Attack Chain

  1. An authenticated attacker gains access to a Kubernetes cluster where NGINX Gateway Fabric is deployed.
  2. The attacker leverages existing permissions or exploits another vulnerability to obtain permissions to create or modify NginxProxy Custom Resource Definitions (CRDs) within the cluster.
  3. The attacker crafts a malicious NginxProxy CRD (or modifies an existing one) to include specially crafted string values in the spec.accessLog.format field.
  4. The malicious access log format string contains NGINX configuration directives designed for injection, such as set $variable, proxy_pass, add_header, or if statements.
  5. NGINX Gateway Fabric's configuration generator processes the attacker-controlled NginxProxy CRD and directly renders the unsanitized access log format string into the underlying NGINX configuration templates.
  6. Arbitrary NGINX configuration directives are injected into the dynamically generated NGINX configuration files on the data plane nodes.
  7. The NGINX data plane instances reload their configuration, activating the malicious directives which can lead to defense evasion, traffic manipulation, data exfiltration, or denial of service.

Impact

The successful exploitation of CVE-2026-50107 allows an attacker to inject arbitrary NGINX configuration directives. This control plane compromise can lead to significant impacts on the affected services. Attackers could manipulate traffic routing, bypassing security controls, redirecting legitimate requests, or enabling internal network access. They could also modify NGINX logging configurations to exfiltrate sensitive data or disrupt service availability by introducing malformed or conflicting directives, leading to application denial of service. Furthermore, injected directives could be used to install persistent backdoors within the NGINX configuration, making detection and remediation more challenging. The CVSSv3.1 Base Score of 8.1 indicates a high severity threat.

Recommendation

  • Patch CVE-2026-50107 immediately by upgrading NGINX Gateway Fabric and its associated components to the versions specified in the vendor's security advisory.
  • Implement robust Kubernetes Role-Based Access Control (RBAC) to restrict permissions for creating or modifying NginxProxy CRDs to only authorized and necessary users/service accounts.
  • Deploy the Sigma rule "Detect NginxProxy CRD Modification with Malicious Access Log Format" to your Kubernetes audit log monitoring solution to identify attempts to exploit this vulnerability.
  • Monitor for unauthorized or anomalous NGINX process reloads or restarts on data plane nodes using the "Detect NGINX Process Reload Initiated by Anomalous User or Process" Sigma rule.

Detection coverage 2

Detect NginxProxy CRD Modification with Malicious Access Log Format

high

Detects CVE-2026-50107 exploitation — attempts to create or update NginxProxy CRDs with NGINX configuration injection keywords in the access log format setting, indicative of arbitrary NGINX directive injection.

sigma tactics: defense_evasion techniques: T1562, T1562.001 sources: audit_logs, kubernetes

Detect NGINX Process Reload Initiated by Anomalous User or Process

medium

Detects an NGINX process reload or restart command executed by a user or process not typically associated with NGINX Gateway Fabric operations, which could indicate post-exploitation activity after configuration injection.

sigma tactics: defense_evasion, execution techniques: T1059.004, T1562.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →