NGINX HTTP/2 Proxy Body Injection Vulnerability: CVE-2026-42926 May 2026

NGINX ngx_http_proxy_v2_module vulnerability
When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerability Analysis

CVE-2026-42926 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

NONE

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Encoding Error

The software does not properly encode or decode the data, resulting in unexpected values.

Products Associated with CVE-2026-42926

Want to know whenever a new CVE is published for F5 Networks Nginx Open Source? stack.watch will email you.

NGINX HTTP/2 Proxy Body Injection Vulnerability
CVE-2026-42926 Published on May 13, 2026

Vulnerability Analysis

Weakness Type

Encoding Error

Products Associated with CVE-2026-42926

Affected Versions

NGINX HTTP/2 Proxy Body Injection VulnerabilityCVE-2026-42926 Published on May 13, 2026

Vulnerability Analysis

Weakness Type

Encoding Error

Products Associated with CVE-2026-42926

Affected Versions

NGINX HTTP/2 Proxy Body Injection Vulnerability
CVE-2026-42926 Published on May 13, 2026