CVE-2026-28753 is a vulnerability classified under CWE-93 (Improper Neutralization of CRLF Sequences) found in the ngx_mail_smtp_module of F5's NGINX Open Source and NGINX Plus products. The flaw stems from the improper handling of CRLF (Carriage Return Line Feed) sequences within DNS responses used by the module. Specifically, when NGINX queries DNS servers for upstream SMTP server information, an attacker-controlled DNS server can inject malicious CRLF sequences into the DNS response. This injection enables the attacker to append arbitrary headers into the SMTP upstream request constructed by NGINX. Such header injection can manipulate the SMTP request flow, potentially altering mail routing or causing unexpected behavior in mail processing. The vulnerability requires that the attacker have control or influence over the DNS server responding to NGINX queries, which is a significant constraint. The CVSS v3.1 score is 3.7, reflecting low severity due to high attack complexity, no privileges required, and no direct impact on confidentiality or availability. The vulnerability affects NGINX Open Source versions 1.29.0 and 0.6.27; versions beyond End of Technical Support are not evaluated. No patches are currently linked, and no exploits are known in the wild. This vulnerability highlights the risks of trusting external DNS responses without proper sanitization in network service modules.

The primary impact of this vulnerability is the potential manipulation of SMTP upstream requests by injecting arbitrary headers via malicious DNS responses. While this does not directly compromise confidentiality or availability, it can affect the integrity of mail routing and processing. Attackers could potentially redirect mail traffic, cause mail delivery failures, or bypass certain mail filtering mechanisms by manipulating headers. Organizations relying on NGINX as a mail proxy or SMTP relay could experience mail flow disruptions or unauthorized mail handling behaviors. However, exploitation requires control over DNS responses, limiting the attack surface primarily to environments where DNS servers are untrusted or compromised. The low CVSS score reflects the limited scope and complexity of exploitation. Nonetheless, in sensitive environments such as large mail service providers, enterprises with critical mail infrastructure, or hosting providers, even subtle mail manipulation can have operational and reputational consequences.

To mitigate this vulnerability, organizations should first verify if they are running affected versions of NGINX Open Source (1.29.0 or 0.6.27) or NGINX Plus with the ngx_mail_smtp_module enabled. If so, they should monitor for official patches or updates from F5 and apply them promptly once available. In the absence of patches, administrators should restrict DNS server configurations to trusted and validated DNS resolvers to prevent attacker-controlled DNS responses. Implementing DNSSEC validation can help ensure the authenticity and integrity of DNS responses. Additionally, network segmentation and firewall rules should limit exposure of mail proxy servers to untrusted networks. Logging and monitoring DNS query responses and SMTP upstream requests for anomalous header injections can provide early detection of exploitation attempts. Finally, reviewing mail routing policies and SMTP header handling can reduce the impact of any injected headers.