CVE-2026-40460 F5 CVE debrief

Who should care

Organizations using NGINX Plus or NGINX Open Source with the HTTP/3 QUIC module enabled should prioritize patching or mitigating this vulnerability. Security teams and administrators responsible for NGINX deployments should assess their exposure and take necessary actions. This vulnerability may impact authorization and rate limiting mechanisms, potentially allowing unauthorized access or increased exposure to denial-of-service attacks.

Technical summary

The vulnerability exists in the HTTP/3 QUIC module of NGINX Plus and NGINX Open Source. When exploited, it allows an attacker to spoof their source IP address. This could lead to bypassing of authorization mechanisms or rate limiting. The vulnerability is identified as CWE-290 (Authentication Bypass by Spoofing). Affected versions include NGINX Plus R32 to R36, NGINX Open Source 1.25.0 to 1.30.0, and various versions of NGINX Gateway Fabric, NGINX Ingress Controller, NGINX Instance Manager, and NGINX WAF.

Defensive priority

Apply patches or updates provided by the vendor to address the vulnerability. Review and adjust NGINX configurations to ensure proper use of the HTTP/3 QUIC module and consider implementing additional security measures such as IP address verification or rate limiting.

Recommended defensive actions

• Apply patches or updates provided by F5 for affected NGINX versions.
• Review and adjust NGINX configurations to ensure proper use of the HTTP/3 QUIC module.
• Consider implementing additional security measures such as IP address verification or rate limiting.
• Monitor NGINX logs for suspicious activity indicative of IP spoofing attempts.
• Assess and update incident response plans to address potential exploitation of this vulnerability.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and affected versions. A vendor advisory is available from F5, which likely contains specific guidance on mitigation and patching.

Official resources