Critical NGINX JavaScript Vulnerability (CVE-2026-8711) Enables Remote Code Execution
A critical heap buffer overflow vulnerability, CVE-2026-8711, has been disclosed in NGINX JavaScript (njs), allowing unauthenticated remote attackers to crash worker processes or achieve remote code execution (RCE) under specific conditions. The flaw, revealed amid a surge of NGINX security disclosures in May 2026, highlights growing risks for organizations using the widely deployed web server.
The vulnerability resides in the ngx_http_js_module and is triggered when the js_fetch_proxy directive is configured with client-controlled NGINX variables (e.g., $http_*, $arg_*, $cookie_*) alongside a location block invoking ngx.fetch(). Attackers can exploit this by sending maliciously crafted HTTP requests, leading to a CWE-122 heap-based buffer overflow in NGINX worker processes. On systems with ASLR disabled, the flaw can escalate to full RCE.
Affected configurations include those passing client-controlled headers (e.g., $http_x_user, $http_x_password) directly into proxy URLs. F5 has confirmed that the issue is limited to the data plane, with no control-plane exposure. The vulnerability carries a Critical CVSS v4.0 score of 9.2 and a High CVSS v3.1 score of 8.1, affecting njs versions 0.9.4 through 0.9.8. A patch is available in njs 0.9.9, while other F5 products including NGINX Plus, BIG-IP, BIG-IQ, F5 Distributed Cloud, and F5OS remain unaffected.
This disclosure follows the recent "NGINX Rift" vulnerability chain, disclosed on May 13, 2026, by DepthFirst AI. The most severe flaw in the chain, CVE-2026-42945, has existed since 2008 and has already been exploited in the wild, with proof-of-concept code publicly released. Together, these vulnerabilities enable attackers to crash processes, leak memory, or achieve RCE by exploiting deterministic heap layouts.
Mitigation efforts include auditing js_fetch_proxy directives to remove client-controlled variables, enabling ASLR, monitoring worker logs for unexpected restarts, and restricting NGINX configurations. Organizations unable to patch immediately can apply a temporary workaround by replacing unnamed captures with named captures in affected rewrite directives.
Given NGINX’s dominance powering over 30% of active websites CVE-2026-8711 poses a significant risk, particularly for internet-facing deployments where ASLR may not be enforced. Security teams are advised to prioritize patching in vulnerable environments.
Source: https://cyberpress.org/nginx-allows-remote-code-execution/
F5 cybersecurity rating report: https://www.rankiteo.com/company/f5
"id": "F51779265478",
"linkid": "f5",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially over 30% of active '
'websites',
'industry': 'Technology, Web Hosting, Enterprise',
'location': 'Global',
'name': 'Organizations using NGINX with njs 0.9.4 '
'through 0.9.8',
'size': 'Unknown',
'type': 'Web infrastructure'}],
'attack_vector': 'Remote',
'date_publicly_disclosed': '2026-05',
'description': 'A critical heap buffer overflow vulnerability, CVE-2026-8711, '
'has been disclosed in NGINX JavaScript (njs), allowing '
'unauthenticated remote attackers to crash worker processes or '
'achieve remote code execution (RCE) under specific '
'conditions. The flaw resides in the ngx_http_js_module and is '
'triggered when the js_fetch_proxy directive is configured '
'with client-controlled NGINX variables alongside a location '
'block invoking ngx.fetch(). Attackers can exploit this by '
'sending maliciously crafted HTTP requests, leading to a '
'heap-based buffer overflow in NGINX worker processes. On '
'systems with ASLR disabled, the flaw can escalate to full '
'RCE.',
'impact': {'brand_reputation_impact': 'High (due to critical vulnerability in '
'widely used software)',
'downtime': 'Worker process crashes',
'operational_impact': 'Potential remote code execution, system '
'compromise',
'systems_affected': 'NGINX worker processes'},
'post_incident_analysis': {'corrective_actions': 'Patch to njs 0.9.9, audit '
'configurations, enable ASLR',
'root_causes': 'Heap buffer overflow in '
'ngx_http_js_module due to improper '
'handling of client-controlled '
'variables in js_fetch_proxy '
'directives'},
'recommendations': ['Patch to njs 0.9.9 immediately',
'Audit NGINX configurations for vulnerable js_fetch_proxy '
'directives',
'Enable ASLR on systems running NGINX',
'Replace unnamed captures with named captures in rewrite '
'directives as a temporary workaround',
'Monitor for exploitation attempts'],
'references': [{'source': 'F5 Security Advisory'},
{'source': 'DepthFirst AI (NGINX Rift vulnerability chain)'}],
'response': {'containment_measures': ['Audit js_fetch_proxy directives to '
'remove client-controlled variables',
'Enable ASLR',
'Monitor worker logs for unexpected '
'restarts',
'Restrict NGINX configurations'],
'enhanced_monitoring': 'Monitor worker logs for unexpected '
'restarts',
'remediation_measures': 'Patch to njs 0.9.9'},
'title': 'Critical NGINX JavaScript Vulnerability (CVE-2026-8711) Enables '
'Remote Code Execution',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-8711 (Heap Buffer Overflow in NGINX '
'JavaScript)'}