Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
NGINX ngx_stream_ssl_module vulnerability
CVE-2026-28755
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: R36
- osv-coords3 versions
>= 1.27.2, < 1.28.3+ 2 more
- (no CPE)range: >= 1.27.2, < 1.28.3
- (no CPE)range: >= 1.27.2, < 1.28.3
- (no CPE)range: < 1.29.7-1.1
Patches
Vulnerability mechanics
References
1- my.f5.com/manage/s/article/K000160368mitrevendor-advisory
News mentions
0No linked articles in our index yet.