Authenticated Remote Attacker Can Crash NGINX GW Fabric via GRPCRoute
CVE-2026-32682 Published on June 17, 2026

NGINX Gateway Fabric vulnerability
When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-32682 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is an out-of-bounds array index Vulnerability?

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

CVE-2026-32682 has been classified to as an out-of-bounds array index vulnerability or weakness.


Products Associated with CVE-2026-32682

Want to know whenever a new CVE is published for F5 Networks ? stack.watch will email you.

F5 Networks
 

Affected Versions

F5 NGINX Gateway Fabric: