CVE Vulnerabilities

CVE-2026-40460

Authentication Bypass by Spoofing

Published: May 13, 2026 | Modified: Jun 29, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Weakness

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Affected Software

NameVendorStart VersionEnd Version
DosF54.3.0 (including)4.7.0 (including)
DosF54.8.0 (including)4.8.0 (including)
Nginx_gateway_fabricF51.3.0 (including)1.6.2 (including)
Nginx_gateway_fabricF52.0.0 (including)2.6.0 (including)
Nginx_ingress_controllerF53.5.0 (including)3.7.2 (including)
Nginx_ingress_controllerF54.0.0 (including)4.0.1 (including)
Nginx_ingress_controllerF55.0.0 (including)5.4.2 (including)
Nginx_instance_managerF52.16.0 (including)2.22.0 (including)
Nginx_open_sourceF51.25.0 (including)1.30.0 (including)
Nginx_plusF5r32 (including)r36 (including)
WafF54.9.0 (including)4.16.0 (including)
WafF55.1.0 (including)5.8.0 (including)
WafF55.9.0 (including)5.12.1 (including)
Red Hat Hardened ImagesRedHatnginx-main-1.30.2-1.hum1*
NginxUbuntuesm-infra/xenial*
NginxUbuntuquesting*
NginxUbunturesolute*
NginxUbuntuupstream*

References