Security Advisory - Published 2026-06-18 - NGINX Gateway Fabric
NGINX Gateway Fabric CVEs: review CRDs and RBAC before trusting the data plane
CVE-2026-11311 and CVE-2026-50107 affect configuration generation in NGINX Gateway Fabric. The risky surface is who can create or change Gateway Fabric custom resources, not a blind internet request to an ordinary NGINX worker.
Affected areas
| CVE | Area | Review | CVSS |
|---|---|---|---|
| CVE-2026-11311 | CRD | Kubernetes | 8.6 |
| CVE-2026-50107 | Access logs | RBAC | 8.6 |
Cluster self-check
kubectl get crd | egrep -i 'nginxproxy|authenticationfilter|gateway.nginx'
kubectl get gatewayclass,gateway,httproute -A
kubectl auth can-i create nginxproxies --all-namespaces
kubectl auth can-i update authenticationfilters --all-namespaces
kubectl get role,clusterrole,rolebinding,clusterrolebinding -A | egrep -i 'gateway|nginx' What to review
- Recent NginxProxy, AuthenticationFilter, Gateway, and HTTPRoute changes.
- Service accounts or CI jobs that can update Gateway Fabric CRDs.
- Generated NGINX configuration changes around the advisory window.
- Ingress behavior changes, new access log formats, or failed config reloads.
Safe fix path
- Patch NGINX Gateway Fabric to a vendor-fixed release.
- Reduce write access to Gateway Fabric CRDs to a small platform group.
- Review recent CRD changes and generated config diffs before restarting traffic.
- Rotate credentials for CI or service accounts that had broad CRD write access.
Repair help
Use Ping7 CVE Repair if several teams can write Gateway Fabric resources, the cluster is customer-facing, or config reloads changed unexpectedly around the advisory window.