NVD - CVE-2026-28755 (original) (raw)

Initial Analysis by NIST 3/26/2026 10:09:37 AM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Added CPE Configuration OR *cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* versions from (including) 0.5.13 up to (including) 0.9.7 *cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* versions from (including) 1.27.2 up to (excluding) 1.28.3 *cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* versions from (including) 1.29.0 up to (excluding) 1.29.7
Added CPE Configuration OR *cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:* *cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*
Added Reference Type F5 Networks: https://my.f5.com/manage/s/article/K000160368 Types: Mitigation, Vendor Advisory

New CVE Received from F5 Networks 3/24/2026 11:16:33 AM

Action Type Old Value New Value
Added Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Added CWE CWE-863
Added Reference https://my.f5.com/manage/s/article/K000160368