CVE-2026-42926

MEDIUM LAB

NGINX Open Source 1.29.4-1.30.0 and >=1.31.0 - HTTP/2 Request Smuggling via proxy_set_body

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42926. PoCs published by ikarolaborda.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-42926, an HTTP/2 frame injection vulnerability in NGINX 1.29.4 to 1.30.0. It includes a Python-based HTTP/2 frame logger and a PHP script to validate the vulnerability by crafting and sending malicious frames to detect injection.

Description

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (1)

github WORKING POC
by ikarolaborda · phppoc
https://github.com/ikarolaborda/CVE2026-42926

This repository contains a functional PoC for CVE-2026-42926, an HTTP/2 frame injection vulnerability in NGINX 1.29.4 to 1.30.0. It includes a Python-based HTTP/2 frame logger and a PHP script to validate the vulnerability by crafting and sending malicious frames to detect injection.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: NGINX 1.29.4 - 1.30.0
No auth needed
Prerequisites: NGINX 1.29.4 - 1.30.0 with HTTP/2 enabled · Access to the target server · Python 3.x for the frame logger
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
https://my.f5.com/manage/s/article/K000161131

Scores

CVSS v3 5.8
EPSS 0.0034
EPSS Percentile 26.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull cve-2026-42926-lab:nginx-1.29.4

Details

CWE
CWE-172
Status published
Products (6)
F5/NGINX Open Source 1.29.4 - 1.30.1
F5/NGINX Open Source 1.31.0
f5/nginx_gateway_fabric 1.3.0 - 1.6.2
f5/nginx_ingress_controller 3.5.0 - 3.7.2
f5/nginx_instance_manager 2.16.0 - 2.22.0
f5/nginx_open_source 1.29.4 - 1.30.0
Published May 13, 2026
Tracked Since May 13, 2026