CVE-2026-42926 Overview
CVE-2026-42926 is an improper input handling vulnerability in NGINX Open Source [CWE-172]. The flaw appears when NGINX is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2 and also uses the proxy_set_body directive. Under this configuration, an attacker can inject HTTP/2 frame headers and payload bytes into traffic forwarded to the upstream peer. The issue affects the integrity of upstream communications but does not directly compromise confidentiality or availability of the proxy itself. F5 published advisory K000161131 documenting the issue. Software versions that have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Attackers can inject arbitrary HTTP/2 frame headers and payload bytes into upstream traffic, potentially manipulating backend request semantics.
Affected Products
- NGINX Open Source configured with proxy_http_version 2 and proxy_set_body
- NGINX Open Source deployments acting as HTTP/2 reverse proxies
- Versions outside End of Technical Support scope (see vendor advisory)
Discovery Timeline
- 2026-05-13 - CVE-2026-42926 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42926
Vulnerability Analysis
The vulnerability resides in how NGINX constructs upstream HTTP/2 requests when the proxy_set_body directive overrides the request body. When proxy_http_version is set to 2, NGINX frames the substituted body as HTTP/2 DATA frames before sending it to the upstream peer. Attacker-influenced content within the request can include bytes that NGINX fails to validate or escape, allowing those bytes to be interpreted as additional frame headers and payloads by the upstream server.
The weakness is classified as [CWE-172] Encoding Error. The proxy does not adequately sanitize or boundary-check the data placed into the upstream HTTP/2 stream. As a result, the attacker controls bytes that the upstream parser treats as legitimate protocol structures.
Root Cause
The root cause is improper encoding of body data placed into HTTP/2 DATA frames when proxy_set_body is in use together with HTTP/2 upstream proxying. NGINX trusts the framed output without enforcing strict frame boundary integrity, allowing attacker-supplied bytes to escape the intended DATA frame context.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to the NGINX proxy. The request includes data that influences the body substituted by proxy_set_body. When NGINX forwards the request to the HTTP/2 upstream, the attacker-controlled bytes are emitted within or alongside DATA frames. The upstream server parses the injected frame headers and payloads as if they were legitimate, enabling request manipulation against the backend.
No verified public proof-of-concept code is available. Refer to the F5 Article K000161131 for vendor-published technical details.
Detection Methods for CVE-2026-42926
Indicators of Compromise
- Unexpected HTTP/2 frames or stream IDs appearing in upstream server logs from NGINX proxy sources
- Backend application logs showing requests with malformed or duplicated headers not originated by legitimate clients
- Anomalous request body sizes or content patterns on upstream peers behind an NGINX HTTP/2 proxy
Detection Strategies
- Audit NGINX configurations for the combination of proxy_http_version 2 and proxy_set_body directives, flagging any matches as in-scope assets
- Inspect HTTP/2 frame sequences between NGINX and upstream peers using protocol-aware network monitoring
- Correlate client request payloads with upstream-observed requests to identify mismatches indicating injection
Monitoring Recommendations
- Enable verbose upstream logging on backend HTTP/2 servers to capture frame-level anomalies
- Forward NGINX access and error logs to a centralized logging or SIEM platform for correlation
- Alert on protocol violations reported by upstream HTTP/2 implementations such as PROTOCOL_ERROR or FRAME_SIZE_ERROR
How to Mitigate CVE-2026-42926
Immediate Actions Required
- Inventory all NGINX Open Source deployments and identify configurations using proxy_http_version 2 with proxy_set_body
- Apply the fixed NGINX Open Source release referenced in F5 Article K000161131 once available for your version
- Restrict network exposure of affected NGINX instances until remediation is complete
Patch Information
F5 published advisory K000161131 covering this vulnerability. Administrators should consult the advisory for the list of fixed versions and upgrade guidance. Versions at End of Technical Support are not evaluated and should be replaced with a supported release.
Workarounds
- Set proxy_http_version to 1.1 for upstream communication where proxy_set_body is required
- Remove the proxy_set_body directive where it is not strictly necessary
- Validate and sanitize any client-controlled data that flows into variables referenced by proxy_set_body
# Configuration example: avoid the vulnerable combination
# Option 1: downgrade upstream protocol where proxy_set_body is needed
location /api/ {
proxy_http_version 1.1;
proxy_set_body $request_body;
proxy_pass http://backend;
}
# Option 2: keep HTTP/2 upstream but remove proxy_set_body
location /api/ {
proxy_http_version 2;
proxy_pass https://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
