{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28753", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2026-03-18T16:06:38.435Z", "datePublished": "2026-03-24T14:13:26.107Z", "dateUpdated": "2026-03-24T15:24:34.995Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:49:49.169Z"}, "title": "NGINX ngx_mail_proxy_module vulnerability", "datePublic": "2026-03-24T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "affected": [{"vendor": "F5", "product": "NGINX Open Source", "modules": ["ngx_mail_proxy_module"], "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "0.6.27", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "NGINX Plus", "modules": ["ngx_mail_proxy_module"], "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000160367", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.7, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Asim Viladi Oglu Manizada", "type": "reporter"}, {"lang": "en", "value": "Colin Warren", "type": "reporter"}, {"lang": "en", "value": "Xiao Liu (Yunnan University)", "type": "reporter"}, {"lang": "en", "value": "Yuan Tan (UC Riverside)", "type": "reporter"}, {"lang": "en", "value": "Bird Liu (Lanzhou University)", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:24:28.689685Z", "id": "CVE-2026-28753", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:24:34.995Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28753", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:24:28.689685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:24:31.847Z"}}], "cna": {"title": "NGINX ngx_mail_proxy_module vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Asim Viladi Oglu Manizada"}, {"lang": "en", "type": "reporter", "value": "Colin Warren"}, {"lang": "en", "type": "reporter", "value": "Xiao Liu (Yunnan University)"}, {"lang": "en", "type": "reporter", "value": "Yuan Tan (UC Riverside)"}, {"lang": "en", "type": "reporter", "value": "Bird Liu (Lanzhou University)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["ngx_mail_proxy_module"], "product": "NGINX Open Source", "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "0.6.27", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "modules": ["ngx_mail_proxy_module"], "product": "NGINX Plus", "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-24T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000160367", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:49:49.169Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28753", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:24:34.995Z", "dateReserved": "2026-03-18T16:06:38.435Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2026-03-24T14:13:26.107Z", "assignerShortName": "f5"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "id": "CVE-2026-28753", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "f5sirt@f5.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2026-03-24T15:16:33.560", "references": [{"source": "f5sirt@f5.com", "url": "https://my.f5.com/manage/s/article/K000160367"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "f5sirt@f5.com", "type": "Primary"}]}

{"bugzilla": {"description": "NGINX: NGINX Plus: NGINX Open Source: NGINX Plus and NGINX Open Source: Request manipulation via header injection in SMTP upstream requests", "id": "2450780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450780"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["A flaw was found in NGINX Plus and NGINX Open Source, specifically within the ngx_mail_smtp_module. This vulnerability allows an attacker-controlled DNS (Domain Name System) server to inject arbitrary headers into SMTP (Simple Mail Transfer Protocol) upstream requests. This is due to the improper handling of Carriage Return (CRLF) sequences in DNS responses. The primary consequence is the potential manipulation of these requests, which could alter their intended behavior."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-28753", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nginx:1.26/nginx", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T14:13:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28753\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28753\nhttps://my.f5.com/manage/s/article/K000160367"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.6.27,1.28.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Open Source", "source": "cna", "vendor": "F5"}, "product": "nginx_open_source", "vendor": "f5"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R36,R36 P3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R35,R35 P2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R34,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R33,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R32,R32 P5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Plus", "source": "cna", "vendor": "F5"}, "product": "nginx_plus", "vendor": "f5"}], "analysis": {"en": {"generated_at": "2026-03-24T16:23:47.503789+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s support site for a patch that addresses the CRLF handling bug and upgrade to the latest NGINX release.", "If upgrading is not possible, limit NGINX\u2019s DNS queries to a known, secure internal DNS server and block responses from any untrusted IPs.", "Verify that upstream SMTP connections are authenticated or use TLS to reduce the risk that injected headers are accepted by the mail server.", "Monitor SMTP traffic and DNS responses for anomalous headers or unexpected changes and set alerts for suspicious activity."], "summary": {"action": "Patch Now", "impact": "Potential SMTP request manipulation"}, "threat_synthesis": {"affected_systems": "The flaw affects both the open\u2011source and commercial variants of NGINX (NGINX Open\u2011Source and NGINX Plus). No specific version ranges are listed, and the advisory notes that end\u2011of\u2011support releases are not evaluated. Administrators should review current installations to determine whether the affected configurations are in use and consult the vendor for a patched release.", "description_and_impact": "The vulnerability resides in the ngx_mail_smtp_module of NGINX, where the handling of carriage\u2011return line\u2011feed sequences in DNS responses is incorrect. An attacker who controls a DNS server can inject arbitrary SMTP headers into upstream requests that NGINX forwards. The injected headers may alter the semantics of the SMTP transaction, potentially allowing manipulation of mail flow or forging of authentication data. This is a request\u2011level injection flaw.", "risk_and_exploitability": "The CVSS score is 6.3, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attack requires control over the DNS infrastructure that NGINX uses to resolve upstream SMTP hosts; this could be achieved by a compromised internal DNS server or a malicious external responder if DNS queries traverse an insecure network. The impact is limited to SMTP traffic handled by NGINX, but can lead to manipulation of email delivery or data exfiltration through forged headers. The combination of a moderate CVSS score, lack of publicly known exploits, and a specific attack vector suggests that exploitation is plausible in environments where DNS trust is weak."}}}}, "created": "2026-03-25T11:47:25.689316+00:00", "updated": "2026-03-25T20:50:10.982605+00:00", "vendors": ["f5", "f5$PRODUCT$nginx_open_source", "f5$PRODUCT$nginx_plus"]}