Medium severity5.8NVD Advisory· Published May 13, 2026· Updated May 13, 2026
CVE-2026-42926
CVE-2026-42926
Description
When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
4- osv-coords3 versions
>= 1.29.4, < 1.30.1+ 2 more
- (no CPE)range: >= 1.29.4, < 1.30.1
- (no CPE)range: >= 1.29.4, < 1.30.1
- (no CPE)range: < 1.31.0-1.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.