Nginx has released version 1.29.5 and 1.28.2 to address a critical SSL upstream injection vulnerability (CVE-2026-1642) that could allow attackers to bypass host-based access controls and expose internal data. This flaw particularly affects public-facing Nginx servers using SSL termination with TLS. The updates include enhanced logging and improved read-before-write logic to mitigate the risk, and users are strongly encouraged to upgrade to these new versions for better security. The full changelog outlines various fixes and improvements included in the releases
Nginx 1.29.5 and 1.28.2 released
A new security pupdate, Nginx 1.29.5, has been released to fix a critical SSL upstream injection bug (CVE-2026-1642) that could allow attackers to bypass host-based access controls and expose internal data to the internet. This vulnerability affects Nginx instances with SSL termination and is particularly relevant for public-facing servers using TLS. The patch adds proper logging and tightens read-before-write logic to prevent the attack, but users should still upgrade their Nginx version as soon as possible to ensure security. Nginx 1.28.2 has also been released with the same fix for earlier versions of Nginx 1.28.
