CVE-2026-40460 Overview
CVE-2026-40460 affects NGINX Plus and NGINX Open Source when configured with the HTTP/3 QUIC module. The flaw allows an attacker to spoof their source IP address. Successful exploitation enables bypass of authorization controls or rate limiting policies that rely on client IP identification. The weakness is classified as authentication bypass by spoofing [CWE-290]. The vulnerability is remotely exploitable over the network without privileges or user interaction. Versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.
Critical Impact
Attackers can forge source IP addresses over HTTP/3 QUIC traffic to evade IP-based access control lists, geo-restrictions, and rate limiting protections enforced by NGINX.
Affected Products
- NGINX Plus configured with the HTTP/3 QUIC module
- NGINX Open Source configured with the HTTP/3 QUIC module
- F5 NGINX deployments using QUIC-based listeners
Discovery Timeline
- 2026-05-13 - CVE-2026-40460 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40460
Vulnerability Analysis
The vulnerability resides in how NGINX processes client source addresses when the HTTP/3 QUIC module is active. QUIC operates over UDP, which lacks the connection establishment handshake present in TCP. NGINX trusts the source IP reported in QUIC packets without sufficient validation against connection state. An attacker can craft QUIC datagrams with arbitrary source IP values and have those addresses propagated into NGINX request handling logic.
Downstream modules that depend on the client address for security decisions then operate on attacker-controlled data. This includes the ngx_http_access_module for IP allow and deny rules, the ngx_http_limit_req_module for rate limiting, and the ngx_http_geo_module for geo-based policy. Logging and analytics pipelines fed by the $remote_addr variable also receive falsified values.
Root Cause
The root cause is improper validation of the QUIC connection origin before the source IP is accepted as authoritative. UDP-based protocols require explicit address validation, typically through QUIC's Retry mechanism or token-based handshake confirmation. The HTTP/3 implementation in affected NGINX builds does not enforce this validation in a way that prevents spoofed packets from influencing access control logic.
Attack Vector
An attacker sends spoofed HTTP/3 QUIC packets to an exposed NGINX listener. Because the network attack vector requires no privileges or user interaction, exploitation can originate from any internet-connected host. The attacker selects a source IP value that satisfies allow lists, falls within a trusted CIDR, or evades rate limit buckets keyed on client address. Authorization checks tied to IP reputation, geo-fencing, or per-client throttling can be circumvented. See the F5 Knowledge Base Article for vendor technical details.
Detection Methods for CVE-2026-40460
Indicators of Compromise
- Unexpected successful requests from IP addresses that match internal or allow-listed CIDR ranges arriving over UDP/443
- High volumes of HTTP/3 requests where $remote_addr values do not correlate with reachable hosts
- Authorization grants for resources restricted to specific IP ranges without corresponding TCP session evidence
Detection Strategies
- Correlate NGINX access logs against firewall and netflow records to identify QUIC requests whose source IPs never completed bidirectional communication
- Alert on rate limit counters that remain artificially low despite elevated request throughput on UDP/443
- Compare HTTP/3 client IPs against TLS Server Name Indication and User-Agent consistency baselines
Monitoring Recommendations
- Enable verbose QUIC connection logging including initial packet source and any Retry token issuance
- Forward NGINX logs to a centralized analytics platform and baseline expected client IP distributions per endpoint
- Monitor authorization decision logs for grants tied to sensitive IP-based rules served over HTTP/3
How to Mitigate CVE-2026-40460
Immediate Actions Required
- Inventory all NGINX Plus and NGINX Open Source deployments and identify instances built or configured with the HTTP/3 QUIC module
- Apply the vendor-supplied fix referenced in the F5 Knowledge Base Article K000161068 once available for your version
- Disable the HTTP/3 QUIC listener on internet-facing NGINX servers until the patch is applied if IP-based controls are security-critical
Patch Information
F5 published advisory K000161068 documenting fixed releases. Operators should consult the F5 Knowledge Base Article to identify the specific patched build for NGINX Plus or NGINX Open Source. Versions at End of Technical Support are not evaluated and should be upgraded to a supported branch.
Workarounds
- Remove listen ... quic and http3 on directives from server blocks to disable HTTP/3 until patched
- Move IP-based authorization decisions to an upstream layer that terminates QUIC and validates client addresses through TCP fallback
- Reconfigure rate limiting to key on authenticated session identifiers rather than $remote_addr for HTTP/3 traffic
# Configuration example - disable HTTP/3 QUIC listener
server {
listen 443 ssl;
# listen 443 quic reuseport; # commented out to disable HTTP/3
# http3 on; # commented out to disable HTTP/3
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
