CVE-2026-27654

High

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0003 10.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or…

modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

SI-2 requires timely remediation of flaws like this NGINX buffer overflow vulnerability through patching or upgrades as detailed in the F5 advisory.

CM-7 Least Functionality good match

prevent

CM-7 enforces least functionality by disabling the unnecessary ngx_http_dav_module or its MOVE/COPY methods to prevent exploitation.

CM-6 Configuration Settings good match

prevent

CM-6 mandates secure configuration settings to avoid the vulnerable combination of DAV methods with prefix locations and alias directives in NGINX.

Security SummaryAI

CVE-2026-27654 is a buffer overflow vulnerability (CWE-122) in the ngx_http_dav_module of NGINX Open Source and NGINX Plus, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). The issue arises when the NGINX configuration file enables the DAV module's MOVE or COPY methods alongside prefix location configurations (non-regular expression) and alias directives. Software versions that have reached End of Technical Support (EoTS) were not evaluated for this vulnerability.

An unauthenticated network attacker can exploit this vulnerability with low attack complexity to trigger a buffer overflow in the NGINX worker process. Successful exploitation may cause termination of the worker process, resulting in a denial of service, or allow modification of source or destination file names outside the document root. The integrity impact remains low because the NGINX worker process typically runs with restricted privileges and lacks access to the full system.

The F5 advisory at https://my.f5.com/manage/s/article/K000160382 details mitigation guidance for this vulnerability.

Details

CWE(s): CWE-122

Affected Products

nginx plus

r32, r33, r34, r35, r36

nginx open source

0.5.13 — 0.9.7 · 1.0.0 — 1.28.3 · 1.29.0 — 1.29.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Buffer overflow in public-facing NGINX (DAV MOVE/COPY) directly enables unauthenticated remote exploitation for worker crash (DoS) or limited file name manipulation outside root.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://my.f5.com/manage/s/article/K000160382
Vendor Advisory · f5sirt@f5.com