CVE-2026-28755 — MEDIUM (5.4)

Q: How severe is CVE-2026-28755?

CVE-2026-28755 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-28755?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx Plus, F5 Nginx Open Source.

Vulnerability Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
F5	Nginx Plus	r33
F5	Nginx Open Source	>= 0.5.13, <= 0.9.7

Related Weaknesses (CWE)

CWE-863

References

https://my.f5.com/manage/s/article/K000160368Vendor AdvisoryMitigation

FAQ

What is CVE-2026-28755?

CVE-2026-28755 is a vulnerability with a CVSS score of 5.4 (MEDIUM). NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocs...

How severe is CVE-2026-28755?

CVE-2026-28755 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-28755?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Nginx Plus, F5 Nginx Open Source.