CVE-2026-28755 is a vulnerability in the ngx_stream_ssl_module of F5's NGINX Open Source and NGINX Plus products. It occurs when the server is configured with ssl_verify_client enabled to require client certificate verification and ssl_ocsp enabled to perform Online Certificate Status Protocol (OCSP) checks to validate certificate revocation status. Due to improper handling of revoked certificates, the TLS handshake can still succeed even if the OCSP responder indicates the client certificate has been revoked. This results in an incorrect authorization condition classified under CWE-863, where the system grants access despite failed authorization checks. The vulnerability affects versions 1.27.2 and 1.29.0 of NGINX Open Source. Exploitation requires an attacker to present a revoked client certificate during the TLS handshake. The attacker can bypass revocation checks, potentially gaining unauthorized access to services protected by client certificate authentication. The vulnerability does not affect software versions that have reached End of Technical Support (EoTS). The CVSS v3.1 base score is 5.4, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, requires privileges to present a client certificate, no user interaction, unchanged scope, and low impact on confidentiality and integrity with no availability impact. No public exploits are known at this time, but the flaw undermines the trust model of TLS client authentication and could be leveraged in targeted attacks against sensitive environments.

The primary impact of CVE-2026-28755 is the potential unauthorized access to systems that rely on client certificate authentication with OCSP revocation checking enabled. Attackers possessing revoked certificates can bypass revocation checks and successfully complete TLS handshakes, potentially gaining access to protected resources or services. This undermines the integrity of the authentication process and could lead to data exposure or unauthorized command execution depending on the application context. Although the vulnerability does not affect availability, the compromise of confidentiality and integrity can have serious consequences in environments requiring strong client authentication, such as financial services, government agencies, and critical infrastructure. Organizations using NGINX as a TLS termination point with client certificate validation are at risk, especially if they rely on OCSP for revocation checking. The moderate CVSS score reflects the need for privileged access to present a revoked certificate but highlights the risk of bypassing a critical security control. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

To mitigate CVE-2026-28755, organizations should: 1) Upgrade affected NGINX Open Source versions (1.27.2 and 1.29.0) to patched releases once available from F5 or the NGINX project. 2) Temporarily disable ssl_ocsp or ssl_verify_client if immediate patching is not possible, understanding this reduces security and should be a short-term measure. 3) Implement additional layers of client authentication or authorization beyond TLS client certificates, such as application-level access controls or multi-factor authentication. 4) Monitor TLS handshake logs for connections using revoked certificates or unusual client certificate usage patterns. 5) Use OCSP stapling on the server side to improve revocation checking reliability and consider alternative revocation mechanisms like CRLs if feasible. 6) Restrict network access to NGINX servers requiring client certificates to trusted networks or VPNs to reduce exposure. 7) Conduct regular audits of client certificates and revoke any that are no longer needed or compromised. These steps help reduce the risk of unauthorized access while awaiting official patches.