CVE-2026-27654 PUBLISHED

NGINX ngx_http_dav_module vulnerability

Assigner: f5
Reserved: 18.03.2026 Published: 24.03.2026 Updated: 24.03.2026

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor F5
Product NGINX Open Source
Versions Default: unknown
  • affected from 1.29.0 to 1.29.7 (excl.)
  • affected from 0.5.13 to 1.28.3 (excl.)
Vendor F5
Product NGINX Plus
Versions Default: unknown
  • affected from R36 to R36 P3 (excl.)
  • affected from R35 to R35 P2 (excl.)
  • affected from R34 to * (excl.)
  • affected from R33 to * (excl.)
  • affected from R32 to R32 P5 (excl.)

Credits

  • F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

Problem Types

  • CWE-122: Heap-based Buffer Overflow CWE