CVE-2026-40460
published 2026-05-13CVE-2026-40460: When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass…
medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | nginx_open_source | >= 1.26.0 < 1.30.1 | 1.30.1 |
| f5 | nginx_plus | — | — |
| f5 | nginx_plus | — | — |
| f5 | nginx_plus | >= R32 < R32 P6 | R32 P6 |
| f5 | nginx_plus | >= R36 < R36 P4 | R36 P4 |
| nginx_1.24 | nginx | — | — |
| nginx_1.26 | nginx | — | — |
| ubuntu | nginx | — | — |