CVE-2026-40460
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
In NGINX Plus and NGINX Open Source with the HTTP/3 QUIC module enabled, an attacker can spoof their source IP address, bypassing authorization or rate limiting.
Risk Assessment
The organization faces risks of unauthorized access to resources and server overload due to bypassed rate limits.
Recommendation
Immediately update NGINX to the latest patched version and disable the HTTP/3 QUIC module if not required.
Original NVD description (English source)
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

