Unrated severityNVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

NGINX Gateway Fabric vulnerability

CVE-2026-11311

Description

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the AuthenticationFilter Custom Resource Definition extraAuthArgs field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected products

Nginx/Nginx Gateway Fabricinferred

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

my.f5.com/manage/s/article/K000161611mitrevendor-advisory

News mentions

F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks
Cyber Security News · Jun 18, 2026
F5 issues out-of-band patches for critical NGINX vulnerabilities
BleepingComputer · Jun 18, 2026
F5 Patches Critical, High-Severity NGINX Vulnerabilities
SecurityWeek · Jun 18, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000