{"id":"CVE-2026-27654","details":"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","aliases":["BIT-nginx-2026-27654","BIT-nginx-gateway-2026-27654"],"modified":"2026-07-08T08:04:59.570084140Z","published":"2026-03-24T15:16:33.130Z","related":["ALSA-2026:6906","ALSA-2026:6907","ALSA-2026:6923","ALSA-2026:7002","ALSA-2026:7343","SUSE-SU-2026:1761-1","SUSE-SU-2026:1953-1","SUSE-SU-2026:21823-1","openSUSE-SU-2026:10423-1","openSUSE-SU-2026:20784-1"],"database_specific":{"unresolved_ranges":[{"vendor_product":"f5:nginx_plus","extracted_events":[{"introduced":"r32-p1"},{"last_affected":"r32-p1"},{"introduced":"r32-p2"},{"last_affected":"r32-p2"},{"introduced":"r32-p3"},{"last_affected":"r32-p3"},{"introduced":"r32-p4"},{"last_affected":"r32-p4"},{"introduced":"r33"},{"last_affected":"r33"},{"introduced":"r33-p1"},{"last_affected":"r33-p1"},{"introduced":"r33-p2"},{"last_affected":"r33-p2"},{"introduced":"r33-p3"},{"last_affected":"r33-p3"},{"introduced":"r34"},{"last_affected":"r34"},{"introduced":"r34-p1"},{"last_affected":"r34-p1"},{"introduced":"r34-p2"},{"last_affected":"r34-p2"},{"introduced":"r35"},{"last_affected":"r35"},{"introduced":"r35-p1"},{"last_affected":"r35-p1"},{"introduced":"r36"},{"last_affected":"r36"},{"introduced":"r36-p1"},{"last_affected":"r36-p1"},{"introduced":"r36-p2"},{"last_affected":"r36-p2"}],"source":"CPE_STRING","cpes":["cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2026-27654"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27654.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10065"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13634"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13680"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13839"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:14836"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:15942"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:15943"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:15945"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:15966"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:6906"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:6907"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:6923"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:7002"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:7343"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:8346"},{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000160382"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450776"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"ca1e78e0ceb1cd344bfc00647d0b167db602f298"},{"last_affected":"955370fc8c12b1a945941f844adc9df49a0f3f32"},{"introduced":"a2a09a84eb0a7059880500e70b40796ab1dd0c4d"},{"fixed":"9b958b000776c88036cd800c66e7e4ad39e6fd41"},{"introduced":"235f409907fd60eb2d8f6ecdc0e5cb163dd6d45f"},{"fixed":"5ac6f49371f9fcdf21ca4b4fd2a8657576f0885b"}],"database_specific":{"extracted_events":[{"introduced":"0.5.13"},{"last_affected":"0.9.7"},{"introduced":"1.0.0"},{"fixed":"1.28.3"},{"introduced":"1.29.0"},{"fixed":"1.29.7"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*"}}],"versions":["release-1.28.2","release-1.29.6","release-1.29.5","release-1.28.1","release-1.28.0","release-1.29.4","release-1.29.3","release-1.29.2","release-1.29.1","release-1.29.0","release-1.27.5","release-1.27.4","release-1.27.3","release-1.27.2","release-1.27.1","release-1.27.0","release-1.25.5","release-1.25.4","release-1.25.3","release-1.25.2","release-1.25.1","release-1.25.0","release-1.23.4","release-1.23.3","release-1.23.2","release-1.23.1","release-1.23.0","release-1.21.6","release-1.21.5","release-1.21.4","release-1.21.3","release-1.21.2","release-1.21.1","release-1.21.0","release-1.19.10","release-1.19.9","release-1.19.8","release-1.19.7","release-1.19.6","release-1.19.5","release-1.19.4","release-1.19.3","release-1.19.2","release-1.19.1","release-1.19.0","release-1.17.10","release-1.17.9","release-1.17.8","release-1.17.7","release-1.17.6","release-1.17.5","release-1.17.4","release-1.17.3","release-1.17.2","release-1.17.1","release-1.17.0","release-1.15.12","release-1.15.11","release-1.15.10","release-1.15.9","release-1.15.8","release-1.15.7","release-1.15.6","release-1.15.5","release-1.15.4","release-1.15.3","release-1.15.2","release-1.15.1","release-1.15.0","release-1.13.12","release-1.13.11","release-1.13.10","release-1.13.9","release-1.13.8","release-1.13.7","release-1.13.6","release-1.13.5","release-1.13.4","release-1.13.3","release-1.13.2","release-1.13.1","release-1.13.0","release-1.11.13","release-1.11.12","release-1.11.11","release-1.11.10","release-1.11.9","release-1.11.8","release-1.11.7","release-1.11.6","release-1.11.5","release-1.11.4","release-1.11.3","release-1.11.2","release-1.11.1","release-1.11.0","release-1.9.15","release-1.9.14","release-1.9.13","release-1.9.12","release-1.9.11","release-1.9.10","release-1.9.9","release-1.9.8","release-1.9.7","release-1.9.6","release-1.9.5","release-1.9.4","release-1.9.3","release-1.9.2","release-1.9.1","release-1.9.0","release-1.7.12","release-1.7.11","release-1.7.10","release-1.7.9","release-1.7.8","release-1.7.7","release-1.7.6","release-1.7.5","release-1.7.4","release-1.7.3","release-1.7.2","release-1.7.1","release-1.7.0","release-1.5.13","release-1.5.12","release-1.5.11","release-1.5.10","release-1.5.9","release-1.5.8","release-1.5.7","release-1.5.6","release-1.5.5","release-1.5.4","release-1.5.3","release-1.5.2","release-1.5.1","release-1.5.0","release-1.4.0","release-1.3.16","release-1.3.15","release-1.3.14","release-1.3.13","release-1.3.12","release-1.3.11","release-1.3.10","release-1.3.9","release-1.3.8","release-1.3.7","release-1.3.6","release-1.3.5","release-1.3.4","release-1.3.3","release-1.3.2","release-1.3.1","release-1.3.0","release-1.2.0","release-1.1.19","release-1.1.18","release-1.1.17","release-1.1.16","release-1.1.15","release-1.1.14","release-1.1.13","release-1.1.12","release-1.1.11","release-1.1.10","release-1.1.9","release-1.1.8","release-1.1.7","release-1.1.6","release-1.1.5","release-1.1.4","release-1.1.3","release-1.1.2","release-1.1.1","release-1.1.0","release-1.0.5","release-1.0.4","release-1.0.3","release-1.0.2","release-1.0.1","release-1.0.0","release-0.9.7","release-0.9.6","release-0.9.5","release-0.9.4","release-0.9.3","release-0.9.2","release-0.9.1","release-0.9.0","release-0.8.53","release-0.8.52","release-0.8.51","release-0.8.50","release-0.8.49","release-0.8.48","release-0.8.47","release-0.8.46","release-0.8.45","release-0.8.44","release-0.8.43","release-0.8.42","release-0.8.41","release-0.8.40","release-0.8.39","release-0.8.38","release-0.8.37","release-0.8.36","release-0.8.35","release-0.8.34","release-0.8.33","release-0.8.32","release-0.8.31","release-0.8.30","release-0.8.29","release-0.8.28","release-0.8.27","release-0.8.26","release-0.8.25","release-0.8.24","release-0.8.23","release-0.8.22","release-0.8.21","release-0.8.20","release-0.8.19","release-0.8.18","release-0.8.17","release-0.8.16","release-0.8.15","release-0.8.14","release-0.8.13","release-0.8.12","release-0.8.11","release-0.8.10","release-0.8.9","release-0.8.8","release-0.8.7","release-0.8.6","release-0.8.5","release-0.8.4","release-0.8.3","release-0.8.2","release-0.8.1","release-0.8.0","release-0.7.59","release-0.7.58","release-0.7.57","release-0.7.56","release-0.7.55","release-0.7.54","release-0.7.53","release-0.7.52","release-0.7.51","release-0.7.50","release-0.7.49","release-0.7.48","release-0.7.47","release-0.7.46","release-0.7.45","release-0.7.44","release-0.7.43","release-0.7.42","release-0.7.41","release-0.7.40","release-0.7.39","release-0.7.38","release-0.7.37","release-0.7.36","release-0.7.35","release-0.7.34","release-0.7.33","release-0.7.32","release-0.7.31","release-0.7.30","release-0.7.29","release-0.7.28","release-0.7.27","release-0.7.26","release-0.7.25","release-0.7.24","release-0.7.23","release-0.7.22","release-0.7.21","release-0.7.20","release-0.7.19","release-0.7.18","release-0.7.17","release-0.7.16","release-0.7.15","release-0.7.14","release-0.7.13","release-0.7.12","release-0.7.11","release-0.7.10","release-0.7.9","release-0.7.8","release-0.7.7","release-0.7.6","release-0.7.5","release-0.7.4","release-0.7.3","release-0.7.2","release-0.7.1","release-0.7.0","release-0.6.31","release-0.6.30","release-0.6.29","release-0.6.28","release-0.6.27","release-0.6.26","release-0.6.25","release-0.6.24","release-0.6.23","release-0.6.22","release-0.6.21","release-0.6.20","release-0.6.19","release-0.6.18","release-0.6.17","release-0.6.16","release-0.6.15","release-0.6.14","release-0.6.13","release-0.6.12","release-0.6.11","release-0.6.10","release-0.6.9","release-0.6.8","release-0.6.7","release-0.6.6","release-0.6.5","release-0.6.4","release-0.6.3","release-0.6.2","release-0.6.1","release-0.6.0","release-0.5.25","release-0.5.24","release-0.5.23","release-0.5.22","release-0.5.21","release-0.5.20","release-0.5.19","release-0.5.18","release-0.5.17","release-0.5.16","release-0.5.15","release-0.5.14","release-0.5.13"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27654.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}