Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
NGINX ngx_mail_auth_http_module vulnerability
CVE-2026-27651
Description
When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
24(expand)+ 1 more
- (no CPE)
- (no CPE)range: R36
- osv-coords21 versionspkg:bitnami/nginxpkg:bitnami/nginx-gatewaypkg:rpm/almalinux/nginxpkg:rpm/almalinux/nginx-all-modulespkg:rpm/almalinux/nginx-corepkg:rpm/almalinux/nginx-filesystempkg:rpm/almalinux/nginx-mod-develpkg:rpm/almalinux/nginx-mod-http-image-filterpkg:rpm/almalinux/nginx-mod-http-perlpkg:rpm/almalinux/nginx-mod-http-xslt-filterpkg:rpm/almalinux/nginx-mod-mailpkg:rpm/almalinux/nginx-mod-streampkg:rpm/opensuse/nginx&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
>= 0.5.15, < 1.28.3+ 20 more
- (no CPE)range: >= 0.5.15, < 1.28.3
- (no CPE)range: >= 0.5.15, < 1.28.3
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 2:1.26.3-2.el10_1.1
- (no CPE)range: < 1:1.24.0-5.module_el9.7.0+220+47ec8b91.2.alma.1
- (no CPE)range: < 2:1.26.3-2.el10_1.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1.29.7-1.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
Patches
Vulnerability mechanics
References
1- my.f5.com/manage/s/article/K000160383mitrevendor-advisory
News mentions
0No linked articles in our index yet.