CVE-2026-27654

Name of the Vulnerable Software and Affected Versions NGINX Open Source and NGINX Plus (affected versions not specified)

Description NGINX Open Source and NGINX Plus contain an issue in the ngx http dav module module that could allow an attacker to trigger a buffer overflow in the NGINX worker process. This could lead to the termination of the NGINX worker process or modification of source or destination file names outside the document root. The issue occurs when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The impact on integrity is limited because the NGINX worker process user has restricted privileges and system access.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.