Security Advisory - Published 2026-06-18 - NGINX Gateway Fabric

NGINX Gateway Fabric CVEs: review CRDs and RBAC before trusting the data plane

CVE-2026-11311 and CVE-2026-50107 affect configuration generation in NGINX Gateway Fabric. The risky surface is who can create or change Gateway Fabric custom resources, not a blind internet request to an ordinary NGINX worker.

Defensive scope: this page covers owned Kubernetes clusters and approved platform review. It does not include crafted CRD values or abuse steps.

Affected areas

CVEAreaReviewCVSS
CVE-2026-11311CRDKubernetes8.6
CVE-2026-50107Access logsRBAC8.6

Cluster self-check

kubectl get crd | egrep -i 'nginxproxy|authenticationfilter|gateway.nginx'
kubectl get gatewayclass,gateway,httproute -A
kubectl auth can-i create nginxproxies --all-namespaces
kubectl auth can-i update authenticationfilters --all-namespaces
kubectl get role,clusterrole,rolebinding,clusterrolebinding -A | egrep -i 'gateway|nginx'

What to review

  • Recent NginxProxy, AuthenticationFilter, Gateway, and HTTPRoute changes.
  • Service accounts or CI jobs that can update Gateway Fabric CRDs.
  • Generated NGINX configuration changes around the advisory window.
  • Ingress behavior changes, new access log formats, or failed config reloads.

Safe fix path

  1. Patch NGINX Gateway Fabric to a vendor-fixed release.
  2. Reduce write access to Gateway Fabric CRDs to a small platform group.
  3. Review recent CRD changes and generated config diffs before restarting traffic.
  4. Rotate credentials for CI or service accounts that had broad CRD write access.

Repair help

Use Ping7 CVE Repair if several teams can write Gateway Fabric resources, the cluster is customer-facing, or config reloads changed unexpectedly around the advisory window.

References