CVE-2026-27654 is a heap-based buffer overflow vulnerability classified under CWE-122 found in the ngx_http_dav_module of F5's NGINX Open Source and NGINX Plus products. This flaw arises when the server configuration employs the DAV module's MOVE or COPY HTTP methods in conjunction with prefix location configurations (non-regular expression) and alias directives. An attacker can craft specially designed HTTP requests exploiting these conditions to trigger a buffer overflow in the NGINX worker process. The overflow may lead to the termination (crash) of the worker process or unauthorized modification of source or destination file names outside the intended document root directory. However, the impact on system integrity is somewhat limited because the NGINX worker process operates with low privileges, restricting access to the broader system. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The affected versions include NGINX Open Source 1.29.0 and 0.5.13. Although no public exploits have been reported yet, the vulnerability has been assigned a CVSS 3.1 base score of 8.2, reflecting high severity due to its potential to disrupt service availability and integrity. The issue does not affect versions that have reached End of Technical Support. No official patches were linked at the time of publication, so mitigation may require configuration changes or updates once available.

The primary impact of this vulnerability is on the availability and integrity of NGINX web servers configured with the DAV module MOVE or COPY methods alongside prefix location and alias directives. Successful exploitation can cause the NGINX worker process to crash, resulting in denial of service and potential disruption of web services. Additionally, there is a risk of unauthorized modification of file names outside the document root, which could lead to data integrity issues or unauthorized file manipulation within the limited scope of the worker process's permissions. Although the worker process runs with low privileges, the ability to alter file names could be leveraged in chained attacks or to disrupt web content delivery. Organizations relying on NGINX for critical web infrastructure may face service outages or data integrity concerns. The vulnerability is exploitable remotely without authentication, increasing the attack surface and risk, especially for internet-facing servers. The lack of known exploits in the wild currently reduces immediate risk, but the high CVSS score and ease of exploitation warrant urgent attention.

Organizations should prioritize upgrading to patched versions of NGINX Open Source and NGINX Plus once they become available from F5. In the interim, administrators should review and modify their NGINX configurations to avoid using the DAV module's MOVE or COPY methods in combination with prefix location and alias directives. Specifically, disabling or restricting the DAV module functionality or avoiding the use of prefix location configurations with alias directives can reduce exposure. Employing strict access controls and limiting the exposure of NGINX servers to trusted networks can also mitigate risk. Monitoring NGINX worker process stability and logs for unusual crashes or file modification attempts can help detect exploitation attempts. Network-level protections such as Web Application Firewalls (WAFs) should be configured to detect and block suspicious MOVE or COPY HTTP requests targeting the DAV module. Finally, ensure that the NGINX worker process runs with the least privileges necessary and that file system permissions are tightly controlled to limit the impact of any potential exploitation.