CVE-2026-50107: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in F5 NGINX Gateway Fabric
CVE-2026-50107 is an injection vulnerability in the NGINX configuration generator component of F5's NGINX Gateway Fabric version 2.3.0. It arises when user-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are inserted into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs can inject arbitrary NGINX configuration directives. This vulnerability affects the control plane only and does not expose the data plane directly.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-50107) affects F5 NGINX Gateway Fabric when configured with NGINX Plus or NGINX Open Source as the data plane. The issue is due to improper neutralization of special elements (CWE-74) in user-supplied strings from the NginxProxy CRD access log format setting, which are rendered directly into NGINX configuration templates without sanitization. An attacker with authenticated access and permission to modify these CRDs can inject arbitrary NGINX configuration directives, potentially leading to control plane compromise. The vulnerability is specific to version 2.3.0 of NGINX Gateway Fabric. There is no indication of known exploits in the wild or a vendor-provided patch or remediation at this time.
Potential Impact
Successful exploitation allows an authenticated user with permission to create or modify NginxProxy CRDs to inject arbitrary NGINX configuration directives, potentially compromising the control plane. The vulnerability has a high CVSS score of 8.1, reflecting high confidentiality and integrity impact but no availability impact. There is no direct exposure of the data plane from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to create or modify NginxProxy CRDs to trusted administrators only to reduce the risk of exploitation.
CVE-2026-50107: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in F5 NGINX Gateway Fabric
Description
CVE-2026-50107 is an injection vulnerability in the NGINX configuration generator component of F5's NGINX Gateway Fabric version 2.3.0. It arises when user-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are inserted into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs can inject arbitrary NGINX configuration directives. This vulnerability affects the control plane only and does not expose the data plane directly.
CVSS v3.1
Score 8.1high
Affected software
pkg:github/f5/nginx-gateway-fabricRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-50107) affects F5 NGINX Gateway Fabric when configured with NGINX Plus or NGINX Open Source as the data plane. The issue is due to improper neutralization of special elements (CWE-74) in user-supplied strings from the NginxProxy CRD access log format setting, which are rendered directly into NGINX configuration templates without sanitization. An attacker with authenticated access and permission to modify these CRDs can inject arbitrary NGINX configuration directives, potentially leading to control plane compromise. The vulnerability is specific to version 2.3.0 of NGINX Gateway Fabric. There is no indication of known exploits in the wild or a vendor-provided patch or remediation at this time.
Potential Impact
Successful exploitation allows an authenticated user with permission to create or modify NginxProxy CRDs to inject arbitrary NGINX configuration directives, potentially compromising the control plane. The vulnerability has a high CVSS score of 8.1, reflecting high confidentiality and integrity impact but no availability impact. There is no direct exposure of the data plane from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to create or modify NginxProxy CRDs to trusted administrators only to reduce the risk of exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-06-17T16:35:56.336Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33019af198dc38c1fe1948
Added to database: 6/17/2026, 8:20:42 PM
Last enriched: 6/17/2026, 8:34:57 PM
Last updated: 6/17/2026, 9:39:20 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.