CVE-2026-60065 in NGINX Plusinfo

Summary

by MITRE • 07/15/2026

When NGINX Plus is configured to use the Message Queuing Telemetry Transport (MQTT) filter module (ngx_stream_mqtt_filter_module), unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart.

Impact: This vulnerability may allow remote unauthenticated attackers to have limited control to restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability resides within the NGINX Plus streaming module specifically when configured with the MQTT filter functionality, representing a critical heap buffer over-read condition that affects the data plane processing capabilities. The flaw manifests when unauthenticated attackers can craft malicious MQTT requests that trigger unintended memory access patterns within the NGINX worker process. According to CWE-125, this represents an out-of-bounds read vulnerability where the application accesses memory beyond the allocated buffer boundaries, potentially leading to information disclosure or process termination.

The technical exploitation occurs through the ngx_stream_mqtt_filter_module which handles MQTT protocol processing in the streaming context. When malformed MQTT packets are received by a configured NGINX worker, the parsing logic fails to properly validate input boundaries, allowing attackers to manipulate memory access patterns that result in heap-based buffer over-read conditions. This type of vulnerability falls under ATT&CK technique T1203, where adversaries leverage application weaknesses to cause service disruption or process restarts without requiring authentication credentials.

The operational impact is significant as this vulnerability enables remote unauthenticated attackers to induce NGINX worker process restarts, effectively causing denial-of-service conditions that can disrupt legitimate traffic flows. While the vulnerability does not provide full command execution capabilities or direct access to system resources, it does allow for service availability attacks that can be leveraged in combination with other techniques to amplify disruption effects. The data plane nature of this issue means that even though there is no control plane exposure, the impact on service availability remains severe enough to warrant immediate attention.

Mitigation strategies should focus on implementing proper input validation and boundary checking within the MQTT filter module configuration. Administrators should ensure that all NGINX Plus installations are updated to versions that address this specific heap buffer over-read vulnerability. Additionally, network-level restrictions can be implemented to limit access to MQTT-enabled endpoints, though this requires careful consideration of legitimate use cases. The recommended approach involves applying security patches from NGINX, implementing proper rate limiting for MQTT connections, and monitoring worker process restart patterns as potential indicators of exploitation attempts. Organizations should also consider isolating MQTT-enabled services in network segments with appropriate access controls to limit the potential blast radius of any successful exploitation attempts.

Responsible

F5

Reservation

07/08/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!