NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

nginx nginx-CVE-2026-28753.html: Injection in auth_http and XCLIENT

The version of nginx installed on the remote host is prior to 1.28.3-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NGINX1-2026-011 advisory.

    When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed     requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP     authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait     response header. Note: Software versions which have reached End of Technical Support (EoTS) are not     evaluated. (CVE-2026-27651)

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow     an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in     termination of the NGINX worker process or modification of source or destination file names outside the     document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV     module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias     directives. The integrity impact is constrained because the NGINX worker process user has low privileges     and does not have access to the entire system. Note: Software versions which have reached End of Technical     Support (EoTS) are not evaluated. (CVE-2026-27654)

    The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,     which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination,     using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with     the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the     attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the     ngx_http_mp4_module module.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-27784)

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the     improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to     inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note:
    Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-28753)

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the     improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on     directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as     revoked.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-28755)

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow     an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its     termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open     Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in     the configuration file. Additionally, the attack is possible only if an attacker can trigger the     processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-32647)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1540 advisory.

    When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed     requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP     authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait     response header. Note: Software versions which have reached End of Technical Support (EoTS) are not     evaluated. (CVE-2026-27651)

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow     an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in     termination of the NGINX worker process or modification of source or destination file names outside the     document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV     module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias     directives. The integrity impact is constrained because the NGINX worker process user has low privileges     and does not have access to the entire system. Note: Software versions which have reached End of Technical     Support (EoTS) are not evaluated. (CVE-2026-27654)

    The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,     which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination,     using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with     the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the     attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the     ngx_http_mp4_module module.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-27784)

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the     improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to     inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note:
    Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-28753)

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the     improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on     directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as     revoked.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-28755)

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow     an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its     termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open     Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in     the configuration file. Additionally, the attack is possible only if an attacker can trigger the     processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    (CVE-2026-32647)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its Server response header, the installed version of nginx is prior to 1.28.3 or 1.29.x prior to 1.29.7. It is, therefore, affected by the following issues :

 - A vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process. (CVE-2026-27654)

 - A vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination. (CVE-2026-27784)

 - A vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. (CVE-2026-32647)

 - When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. (CVE-2026-27651)

 - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. (CVE-2026-28753)

 - A vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. (CVE-2026-28755)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the     improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to     inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note:
    Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-28753)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
306276	Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-011 (ALASNGINX1-2026-011)	Nessus	Amazon Linux Local Security Checks	high
306218	Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2026-1540)	Nessus	Amazon Linux Local Security Checks	high
115174	Nginx < 1.28.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
115173	Nginx 1.29.x < 1.29.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
303521	Linux Distros Unpatched Vulnerability : CVE-2026-28753	Nessus	Misc.	low

Detections

Analytics

CVE-2026-28753

medium

Tenable Plugins

Coming Soon

high

high

high

high

low