<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3af5nginx_gateway_fabric/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 17 Jun 2026 20:39:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3af5nginx_gateway_fabric/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-50107: NGINX Gateway Fabric Configuration Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-06-nginx-gateway-fabric-config-injection/</link><pubDate>Wed, 17 Jun 2026 20:39:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-06-nginx-gateway-fabric-config-injection/</guid><description>An injection vulnerability, CVE-2026-50107, exists in the NGINX configuration generator component of NGINX Gateway Fabric when configured with NGINX Plus or NGINX Open Source as the data plane, allowing authenticated attackers with CRD modification permissions to inject arbitrary NGINX configuration directives via unsanitized user-supplied string values in the access log format setting, leading to control plane compromise and potential defense evasion or system impact.</description><content:encoded><![CDATA[<p>A critical injection vulnerability, identified as CVE-2026-50107, affects NGINX Gateway Fabric when utilizing NGINX Plus or NGINX Open Source as its data plane. This flaw resides within the NGINX configuration generator component, where user-supplied string values provided in the <code>access log format</code> setting of <code>NginxProxy</code> Custom Resource Definitions (CRDs) are directly rendered into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker, possessing the necessary permissions to create or modify these CRDs, can exploit this vulnerability to craft malicious values, effectively injecting arbitrary NGINX configuration directives. This is fundamentally a control plane issue, meaning the direct trigger occurs at the management layer, enabling unauthorized changes to the NGINX data plane's behavior without direct data plane exposure during the exploitation itself.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker gains access to a Kubernetes cluster where NGINX Gateway Fabric is deployed.</li>
<li>The attacker leverages existing permissions or exploits another vulnerability to obtain permissions to create or modify <code>NginxProxy</code> Custom Resource Definitions (CRDs) within the cluster.</li>
<li>The attacker crafts a malicious <code>NginxProxy</code> CRD (or modifies an existing one) to include specially crafted string values in the <code>spec.accessLog.format</code> field.</li>
<li>The malicious <code>access log format</code> string contains NGINX configuration directives designed for injection, such as <code>set $variable</code>, <code>proxy_pass</code>, <code>add_header</code>, or <code>if</code> statements.</li>
<li>NGINX Gateway Fabric's configuration generator processes the attacker-controlled <code>NginxProxy</code> CRD and directly renders the unsanitized <code>access log format</code> string into the underlying NGINX configuration templates.</li>
<li>Arbitrary NGINX configuration directives are injected into the dynamically generated NGINX configuration files on the data plane nodes.</li>
<li>The NGINX data plane instances reload their configuration, activating the malicious directives which can lead to defense evasion, traffic manipulation, data exfiltration, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50107 allows an attacker to inject arbitrary NGINX configuration directives. This control plane compromise can lead to significant impacts on the affected services. Attackers could manipulate traffic routing, bypassing security controls, redirecting legitimate requests, or enabling internal network access. They could also modify NGINX logging configurations to exfiltrate sensitive data or disrupt service availability by introducing malformed or conflicting directives, leading to application denial of service. Furthermore, injected directives could be used to install persistent backdoors within the NGINX configuration, making detection and remediation more challenging. The CVSSv3.1 Base Score of 8.1 indicates a high severity threat.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50107 immediately by upgrading NGINX Gateway Fabric and its associated components to the versions specified in the vendor's security advisory.</li>
<li>Implement robust Kubernetes Role-Based Access Control (RBAC) to restrict permissions for creating or modifying <code>NginxProxy</code> CRDs to only authorized and necessary users/service accounts.</li>
<li>Deploy the Sigma rule &quot;Detect NginxProxy CRD Modification with Malicious Access Log Format&quot; to your Kubernetes audit log monitoring solution to identify attempts to exploit this vulnerability.</li>
<li>Monitor for unauthorized or anomalous NGINX process reloads or restarts on data plane nodes using the &quot;Detect NGINX Process Reload Initiated by Anomalous User or Process&quot; Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>config-injection</category><category>nginx</category><category>kubernetes</category><category>cloud-native</category><category>web-vulnerability</category><category>cve</category></item></channel></rss>