{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3af5nginx_ingress_controller/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_ingress_controller:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_ingress_controller:4.0.1:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-50107"},{"cvss":8.1,"id":"CVE-2026-42530"},{"cvss":8.1,"id":"CVE-2026-11311"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":["https://sploitus.com/exploit?id=B132E072-36D8-5390-949D-A06FA9ADC7B5\u0026utm_source=rss\u0026utm_medium=rss"],"_cs_products":["NGINX Plus","NGINX Open Source","NGINX Gateway Fabric","nginx \u003c 1.31.2","XQUIC (\u003c= v1.9.4)","Tengine"],"_cs_severities":["high"],"_cs_tags":["config-injection","nginx","kubernetes","cloud-native","web-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["NGINX","F5","NGINX, Inc.","Alibaba"],"content_html":"\u003cp\u003eA critical injection vulnerability, identified as CVE-2026-50107, affects NGINX Gateway Fabric when utilizing NGINX Plus or NGINX Open Source as its data plane. This flaw resides within the NGINX configuration generator component, where user-supplied string values provided in the \u003ccode\u003eaccess log format\u003c/code\u003e setting of \u003ccode\u003eNginxProxy\u003c/code\u003e Custom Resource Definitions (CRDs) are directly rendered into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker, possessing the necessary permissions to create or modify these CRDs, can exploit this vulnerability to craft malicious values, effectively injecting arbitrary NGINX configuration directives. This is fundamentally a control plane issue, meaning the direct trigger occurs at the management layer, enabling unauthorized changes to the NGINX data plane's behavior without direct data plane exposure during the exploitation itself.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker gains access to a Kubernetes cluster where NGINX Gateway Fabric is deployed.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages existing permissions or exploits another vulnerability to obtain permissions to create or modify \u003ccode\u003eNginxProxy\u003c/code\u003e Custom Resource Definitions (CRDs) within the cluster.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eNginxProxy\u003c/code\u003e CRD (or modifies an existing one) to include specially crafted string values in the \u003ccode\u003espec.accessLog.format\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eaccess log format\u003c/code\u003e string contains NGINX configuration directives designed for injection, such as \u003ccode\u003eset $variable\u003c/code\u003e, \u003ccode\u003eproxy_pass\u003c/code\u003e, \u003ccode\u003eadd_header\u003c/code\u003e, or \u003ccode\u003eif\u003c/code\u003e statements.\u003c/li\u003e\n\u003cli\u003eNGINX Gateway Fabric's configuration generator processes the attacker-controlled \u003ccode\u003eNginxProxy\u003c/code\u003e CRD and directly renders the unsanitized \u003ccode\u003eaccess log format\u003c/code\u003e string into the underlying NGINX configuration templates.\u003c/li\u003e\n\u003cli\u003eArbitrary NGINX configuration directives are injected into the dynamically generated NGINX configuration files on the data plane nodes.\u003c/li\u003e\n\u003cli\u003eThe NGINX data plane instances reload their configuration, activating the malicious directives which can lead to defense evasion, traffic manipulation, data exfiltration, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-50107 allows an attacker to inject arbitrary NGINX configuration directives. This control plane compromise can lead to significant impacts on the affected services. Attackers could manipulate traffic routing, bypassing security controls, redirecting legitimate requests, or enabling internal network access. They could also modify NGINX logging configurations to exfiltrate sensitive data or disrupt service availability by introducing malformed or conflicting directives, leading to application denial of service. Furthermore, injected directives could be used to install persistent backdoors within the NGINX configuration, making detection and remediation more challenging. The CVSSv3.1 Base Score of 8.1 indicates a high severity threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50107 immediately by upgrading NGINX Gateway Fabric and its associated components to the versions specified in the vendor's security advisory.\u003c/li\u003e\n\u003cli\u003eImplement robust Kubernetes Role-Based Access Control (RBAC) to restrict permissions for creating or modifying \u003ccode\u003eNginxProxy\u003c/code\u003e CRDs to only authorized and necessary users/service accounts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect NginxProxy CRD Modification with Malicious Access Log Format\u0026quot; to your Kubernetes audit log monitoring solution to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor for unauthorized or anomalous NGINX process reloads or restarts on data plane nodes using the \u0026quot;Detect NGINX Process Reload Initiated by Anomalous User or Process\u0026quot; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T11:52:12Z","date_published":"2026-06-17T20:39:52Z","id":"https://feed.craftedsignal.io/briefs/2026-06-nginx-gateway-fabric-config-injection/","summary":"An injection vulnerability, CVE-2026-50107, exists in the NGINX configuration generator component of NGINX Gateway Fabric when configured with NGINX Plus or NGINX Open Source as the data plane, allowing authenticated attackers with CRD modification permissions to inject arbitrary NGINX configuration directives via unsanitized user-supplied string values in the access log format setting, leading to control plane compromise and potential defense evasion or system impact.","title":"CVE-2026-50107: NGINX Gateway Fabric Configuration Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-06-nginx-gateway-fabric-config-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}