CVE-2026-28755 — Incorrect Authorization in F5 Nginx Open Source
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 97.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 24
Latest updateApr 17
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected Packages6 packages
🔴Vulnerability Details
5VulDB▶
F5 NGINX Open Source/NGINX Plus ngx_stream_ssl_module authorization (K000160368 / Nessus ID 306672)↗2026-04-17
OSV▶
CVE-2026-28755: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when co↗2026-03-24
GHSA▶
GHSA-hgfr-jmpr-2p89: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when co↗2026-03-24
OSV▶
CVE-2026-28755: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when co↗2026-03-24