CVE-2026-27651 is a NULL pointer dereference vulnerability classified under CWE-476 affecting F5's NGINX Open Source and NGINX Plus products. The flaw exists in the ngx_mail_auth_http_module, which handles mail authentication via HTTP. When this module is enabled and configured to use CRAM-MD5 or APOP authentication, an attacker can send crafted requests that cause the worker process to dereference a NULL pointer. This condition arises when the authentication server responds with an Auth-Wait header, indicating the client should retry authentication. The improper handling of this response leads to a crash of the worker process, resulting in denial of service. The vulnerability affects versions 0.5.15 and 1.29.0 of NGINX Open Source, with no patches currently linked. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, no required privileges or user interaction, and a direct impact on availability. No known exploits have been reported in the wild as of the publication date. The issue does not affect versions beyond those listed or those that have reached End of Technical Support. This vulnerability is particularly relevant for deployments using mail proxy features with HTTP-based authentication and the specified authentication mechanisms.

The primary impact of CVE-2026-27651 is denial of service caused by worker process crashes in NGINX servers configured with the vulnerable module and authentication methods. This can lead to service outages for mail proxy services relying on NGINX, affecting email delivery and authentication workflows. Organizations running affected versions may experience degraded availability, potentially disrupting business communications and dependent applications. Since exploitation requires no authentication and can be performed remotely, attackers can easily trigger the vulnerability to cause repeated crashes, amplifying the denial of service effect. While confidentiality and integrity are not directly impacted, the loss of availability can have cascading operational consequences, including loss of customer trust and potential financial losses. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure.

To mitigate CVE-2026-27651, organizations should first verify if the ngx_mail_auth_http_module is enabled and if CRAM-MD5 or APOP authentication methods are in use. If possible, temporarily disable the vulnerable module or switch to alternative authentication methods that do not trigger the vulnerability. Monitor authentication server responses to ensure they do not return the Auth-Wait header, or configure the server to avoid permitting retries in this manner. Apply any available patches or updates from F5 or NGINX as soon as they are released. Implement robust monitoring of NGINX worker processes to detect crashes and automate failover or restart mechanisms to minimize downtime. Additionally, consider deploying network-level protections such as rate limiting or filtering to reduce the risk of repeated exploitation attempts. Regularly review and update configurations to align with security best practices for mail proxy authentication.