CVE-2026-50107

Name of the Vulnerable Software and Affected Versions NGINX Gateway Fabric (affected versions not specified)

Description An injection issue exists in the NGINX configuration generator component of NGINX Gateway Fabric when NGINX Plus or NGINX Open Source is used as the data plane. User-supplied string values from the NginxProxy Custom Resource Definition (CRD) access log format setting are rendered into NGINX configuration templates without proper sanitization or escaping. An authenticated attacker with permissions to create or modify these CRDs can inject arbitrary NGINX configuration directives. This is a control plane issue with no direct data plane exposure from the trigger.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.