CVE-2026-40460
MEDIUMNGINX Plus and Open Source - Authentication Bypass via HTTP/3 QUIC Module
Title source: llmDescription
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
patch
https://my.f5.com/manage/s/article/K000161068
Scores
CVSS v3
6.5
EPSS
0.0037
EPSS Percentile
28.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-290
Status
published
Products (13)
f5/dos
4.8.0
f5/dos
4.3.0 - 4.7.0
F5/NGINX Open Source
1.26.0 - 1.30.1
F5/NGINX Open Source
1.31.0
F5/NGINX Plus
R32 - R32 P6
F5/NGINX Plus
R36 - R36 P4
F5/NGINX Plus
R37
f5/nginx_gateway_fabric
1.3.0 - 1.6.2
f5/nginx_ingress_controller
3.5.0 - 3.7.2
f5/nginx_instance_manager
2.16.0 - 2.22.0
... and 3 more
Published
May 13, 2026
Tracked Since
May 13, 2026