F5 has released security updates addressing two high-severity vulnerabilities (CVE-2026-42530 and CVE-2026-42055) affecting multiple NGINX products that could impact service stability and system security.

Affected Systems:

Affected products include, but are not limited to:

• NGINX Open Source versions: 1.30.0–1.30.2, 1.31.0–1.31.1

• NGINX Plus versions: R33–R36, R37.0.0–R37.0.1

• NGINX Ingress Controller versions: 3.5.0–3.7.2, 4.0.0–4.0.1, 5.0.0–5.5.0

• NGINX Instance Manager versions: 2.17.0–2.22.0

Security Risks

Successful exploitation could cause NGINX services to stop working, resulting in service downtime, and in some cases may allow attackers to gain deeper control of affected systems.

Refer to the official NGINX Security Advisories page for detailed CVE information and vendor remediation guidance.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends users and system administrators to:

• Upgrade, as soon as possible, to the latest supported version to maintain security and continue receiving technical support and patches.

The recommended upgrade versions are not limited to:

• NGINX Open Source: upgrade to versions 1.30.3, 1.31.2

• NGINX Plus: upgrade to versions R36 P6, R37.0.2.1

• NGINX Ingress Controller: upgrade to version 5.5.1

• NGINX Instance Manager: upgrade to version 2.22.1

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-42530

• https://nvd.nist.gov/vuln/detail/CVE-2026-42055

• F5 issues out-of-band patches for critical NGINX vulnerabilities

• F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution