OOB Security Notification — Why you should patch NGINX Plus/Open Source now

On March 24, 2026, F5 published an out-of-band security notification covering multiple NGINX vulnerabilities affecting NGINX Plus (R32–R36) and NGINX Open Source (<1.29.7 / <1.28.3 in supported branches). 

While the advisories span different modules, the operational theme is the same: externally reachable NGINX can be forced into worker termination / service disruption under specific configuration conditions, and in at least one case the underlying condition includes memory over-read/over-write risk. 

1) What was disclosed (high-priority items)

CVE-2026-27654 — ngx_http_dav_module  (WebDAV COPY/MOVE + alias)

Exposure condition (key detail): vulnerable when the config uses DAV MOVE or COPY methods, a prefix location (non-regex location), and alias directives. 

Impact: the issue is described as a buffer overflow scenario in the DAV module; practical consequence for most enterprises is worker instability/DoS. 

Fixed versions: NGINX Open Source is not vulnerable in 1.29.7+ and 1.28.3+. 

NGINX Plus fixes: F5 lists fixes in R36 P3, R35 P2, R32 P5 for the impacted train(s). 

Fast triage

• Search for DAV usage + alias in any included config:
  
  
• dav_methods (or explicit DAV enablement)
• locations using alias
• any exposure of COPY / MOVE methods

If you’re not intentionally running WebDAV, treat any accidental enablement as a configuration debt and remove it after patching.

CVE-2026-32647 — ngx_http_mp4_module  (MP4 parsing)

Exposure condition (critical): affects NGINX only if built with ngx_http_mp4_module and the mp4 directive is used. 

Impact: described as a potential buffer over-read/over-write that can lead to NGINX worker termination and “possibly code execution” using a specially crafted MP4 file. 

Fixed versions: 1.29.7+ / 1.28.3+ are listed as not vulnerable for affected NGINX Open Source branches. 

NGINX Plus fixes: included in the F5 patch trains referenced in the March 24 OOB set (R36 P3 / R35 P2 / R32 P5 per F5 advisory table). 

Fast triage

• Confirm whether you use MP4 streaming support:
  
  
• search configs for mp4;
• identify any public endpoints serving MP4 via NGINX with this directive enabled

If you don’t need MP4 pseudo-streaming, removing the mp4 directive reduces attack surface, but patching remains the correct fix.

CVE-2026-27651 —  ngx_mail_auth_http_module  (Mail auth_http, CRAM-MD5/APOP,  Auth-Wait)

Exposure condition: this issue may occur when (1) CRAM-MD5 or APOP is enabled and (2) the authentication server permits retry by returning the Auth-Wait response header. 

Impact: undisclosed requests can cause worker processes to terminate, disrupting mail traffic while workers restart. 

Fixed versions: NGINX Open Source 1.29.7+ / 1.28.3+ are listed as not vulnerable. 

NGINX Plus fixes: included in the March 24 patch trains (R36 P3 / R35 P2 / R32 P5 in the F5 OOB set). 

Fast triage

• If you run NGINX Mail proxy:
  
  
• check mail blocks for auth_http
• confirm whether CRAM-MD5/APOP is enabled
• validate auth server retry behavior (presence of Auth-Wait in responses)

2) Why this matters in real corporate environments

Even when the “headline” is DoS/worker termination, the blast radius is often larger than teams expect:

• Edge/API gateway instability → cascading retries, upstream saturation, false “app outage” incidents.
• Ingress controllers → noisy failovers and transient 5xx/connection resets.
• Media endpoints (mp4) → high public exposure + predictable attacker paths.
• Mail proxies → intermittent auth failures and user-visible disruption.

In other words: treat this set as high priority when NGINX is Internet-facing or is a shared ingress layer for multiple applications.

3) Patch targets (what “good” looks like)

NGINX Open Source

• Upgrade to 1.29.7 (mainline) or 1.28.3 (stable branch) to land the fixes referenced across the advisories.  

NGINX Plus

• Apply the vendor patches listed in the March 24 OOB notification set (e.g., R36 P3 / R35 P2 / R32 P5 as indicated by F5’s advisory table).  

4) TAC-style triage workflow (minimal time, maximum signal)

Step A — Identify exposure by configuration (not by assumption)

1. DAV: locate dav_methods + alias + COPY/MOVE capability in any prefix location.  
2. MP4: locate mp4 directive usage; confirm the module is built/available.  
3. Mail auth_http: locate mail auth_http usage and CRAM-MD5/APOP + Auth-Wait retry conditions.  

Step B — Prioritize patching

• Highest urgency: Internet-facing NGINX where any of the above features are active.
• Next: shared ingress even if internal-only (lateral attacker model / compromised internal host).
• Lowest: unused modules with no directive usage (still patch, but schedule with normal cadence).

Step C — Validate after patching (avoid silent regressions)

• Canary if possible (small % traffic)
• Smoke tests:
  
  
• auth flows
• upload/download flows (where DAV might have been enabled)
• MP4 endpoints (if applicable)
• mail auth paths

• Monitor:
  
  
• worker restarts
• 4xx/5xx rates
• upstream error rates and latency

5) Key references

• F5 OOB notification landing page:  
• NGINX official security advisories (fixed versions and affected ranges):  
• NVD details (exposure conditions and impact statements):
  
  
• MP4 module condition + impact:  
• DAV module condition:  
• Mail auth_http condition (Auth-Wait, CRAM-MD5/APOP):