Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-13T14:12:45 nginx: NGINX: Authorization bypass via IP spoofing in HTTP/3 QUIC module 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CWE-290

A flaw was found in NGINX Plus and NGINX Open Source when configured to use the HTTP/3 QUIC module. A remote attacker could exploit this by spoofing their source IP address. This vulnerability allows for the bypass of authorization controls or rate limiting mechanisms, potentially leading to unauthorized access or resource abuse.

To mitigate this issue, if the HTTP/3 QUIC module is not required, disable it in your NGINX configuration. This typically involves removing or commenting out the `quic` parameter from `listen` directives in your `nginx.conf` file. After modifying the configuration, a graceful reload or restart of the NGINX service is required for the changes to take effect. For example, use `sudo systemctl reload nginx` or `sudo systemctl restart nginx`. Red Hat Hardened Images 2026-05-23T00:00:00Z RHSA-2026:20351 nginx-main-1.30.2-1.hum1 Red Hat Enterprise Linux 10 Fix deferred nginx Red Hat Enterprise Linux 8 Fix deferred nginx:1.24/nginx Red Hat Enterprise Linux 9 Fix deferred nginx Red Hat Enterprise Linux 9 Fix deferred nginx:1.24/nginx Red Hat Enterprise Linux 9 Fix deferred nginx:1.26/nginx https://www.cve.org/CVERecord?id=CVE-2026-40460 https://nvd.nist.gov/vuln/detail/CVE-2026-40460 https://my.f5.com/manage/s/article/K000161068