On March 24, 2026, NGINX released emergency patches for four security vulnerabilities affecting both NGINX Open Source and NGINX Plus. The worst of them — CVE-2026-32647 — is a buffer over-read and over-write in the MP4 streaming module that can lead to remote code execution via a crafted video file.
If you run NGINX on a VPS or dedicated server, this is not a “patch when convenient” situation. Three of the four CVEs allow an attacker to write outside allocated memory or crash your worker processes. One enables path traversal outside your document root.
Here is what each vulnerability does, how to check if you are exposed, and how to upgrade.
The Four Vulnerabilities
| CVE | Module | Impact | Severity |
|---|---|---|---|
| CVE-2026-32647 | ngx_http_mp4_module | Buffer over-read/over-write — possible RCE via crafted MP4 | High |
| CVE-2026-27654 | ngx_http_dav_module | Heap-based buffer overflow — path traversal outside document root via COPY/MOVE with alias | High |
| CVE-2026-27784 | ngx_http_mp4_module (32-bit) | Memory over-read/over-write on 32-bit systems | Medium |
| CVE-2026-27651 | ngx_mail_auth_http_module | Worker process termination (denial of service) | Medium |
CVE-2026-32647 — The Worst One
The ngx_http_mp4_module handles progressive streaming of MP4 files. A specially crafted MP4 file triggers a buffer over-write in the module’s metadata parser. An attacker who can upload or cause NGINX to serve a malicious MP4 file can potentially execute arbitrary code in the context of the NGINX worker process.
This matters even if you do not intentionally serve video. If your NGINX configuration includes mp4; in any location block — or if your package was compiled with the module enabled by default — you are exposed. Most distribution packages include the module.
CVE-2026-27654 — Path Traversal via WebDAV
The ngx_http_dav_module provides WebDAV COPY and MOVE support. When combined with the alias directive, a heap-based buffer overflow allows an attacker to escape your document root and access files outside the intended directory.
This affects you if:
- You use
dav_methods COPY MOVE;in your NGINX config - The same location block also uses
aliasinstead ofroot
WebDAV is not enabled by default, but it is common in self-hosted file sync setups (Nextcloud, Seafile) and CalDAV/CardDAV configurations.
CVE-2026-27784 — 32-Bit MP4 Overflow
A second MP4 module vulnerability that specifically affects 32-bit NGINX builds. Integer overflow in the MP4 metadata parser causes memory over-read and over-write. Most modern VPS environments run 64-bit, but if you are running a 32-bit container image or an older ARM device, check your architecture:
nginx -V 2>&1 | head -1
uname -mCVE-2026-27651 — Mail Auth Worker Crash
The ngx_mail_auth_http_module can be crashed by specific input, terminating the worker process. This is a denial-of-service vulnerability that affects NGINX installations using the mail proxy module for SMTP, IMAP, or POP3 authentication.
Check If You Are Exposed
Run these commands on your server to determine your exposure:
Step 1 — Check Your NGINX Version
nginx -vPatched versions: 1.28.3 (stable) and 1.29.7 (mainline). Anything older is vulnerable.
Step 2 — Check Compiled Modules
# List all compiled-in modules
nginx -V 2>&1 | tr ' ' '\n' | grep module
# Specifically check for affected modules
nginx -V 2>&1 | grep -oE '(mp4|dav|mail)_module'If you see http_mp4_module, http_dav_module, or mail_module in the output, the corresponding CVEs apply to your installation.
Step 3 — Check Your Configuration
# Search for active mp4 streaming
grep -rn 'mp4;' /etc/nginx/
# Search for WebDAV with alias (CVE-2026-27654 trigger)
grep -rn 'dav_methods\|alias' /etc/nginx/ | sort
# Search for mail proxy usage
grep -rn 'mail {' /etc/nginx/Even if you do not actively use these features in your configuration, the compiled modules are still loaded. The safest path is to upgrade regardless.
How to Upgrade
Ubuntu / Debian
# Update package lists
sudo apt update
# Check available version
apt-cache policy nginx
# Upgrade
sudo apt upgrade nginx
# Verify
nginx -v
# Reload (not restart — keeps connections alive)
sudo nginx -s reloadIf your distribution has not yet published the patched version, you can add the official NGINX repository:
# Add NGINX signing key
curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg
# Add stable repo (Ubuntu)
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
sudo apt update && sudo apt install nginxRHEL / AlmaLinux / Rocky
# Check current version
nginx -v
# Update
sudo dnf update nginx
# Or from official NGINX repo
sudo dnf install -y https://nginx.org/packages/rhel/9/x86_64/RPMS/nginx-1.28.3-1.el9.ngx.x86_64.rpm
# Reload
sudo nginx -s reloadDocker
# Pull patched image
docker pull nginx:1.28.3
# Or mainline
docker pull nginx:1.29.7
# Rebuild and restart your containers
docker compose up -d --buildIf you recently upgraded Docker itself following the Docker v29 migration guide, combine both updates in a single maintenance window.
Source Builds
If you compiled NGINX from source:
# Download patched source
wget https://nginx.org/download/nginx-1.28.3.tar.gz
tar xzf nginx-1.28.3.tar.gz
cd nginx-1.28.3
# Use same configure flags as your current build
nginx -V 2>&1 | grep 'configure arguments:'
# Rebuild with same flags
./configure [your existing flags]
make
sudo make install
sudo nginx -s reloadTemporary Mitigations
If you cannot upgrade immediately, reduce your attack surface:
Disable the MP4 Module
Remove or comment out any mp4; directives in your configuration:
# Before (vulnerable)
location /videos/ {
mp4;
mp4_buffer_size 1m;
}
# After (mitigated)
location /videos/ {
# mp4; # Disabled pending NGINX upgrade — CVE-2026-32647
# mp4_buffer_size 1m;
}Then reload: sudo nginx -s reload
Restrict WebDAV Methods
If you must keep WebDAV active, restrict COPY and MOVE at the WAF or firewall level:
# Block COPY/MOVE at the NGINX level
if ($request_method ~ ^(COPY|MOVE)$) {
return 405;
}Block Malicious MP4 Uploads
If your application accepts file uploads, validate file types at the application layer before NGINX processes them. Do not rely on NGINX alone to handle untrusted media files.
Post-Upgrade Verification
After upgrading, confirm the fix is in place:
# Verify version (must be 1.28.3+ or 1.29.7+)
nginx -v
# Test configuration syntax
sudo nginx -t
# Check that NGINX is running the new binary
ps aux | grep nginx
sudo nginx -s reload
# Verify TLS still works
curl -Iv https://yourdomain.com 2>&1 | head -20Check your access logs for unusual MP4 requests that may indicate probing:
# Look for MP4 requests from unexpected sources
grep '\.mp4' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20Hardening Beyond the Patch
Patching the CVEs stops the immediate threat. These additional steps reduce your exposure to future NGINX vulnerabilities:
Disable unused modules. If you compiled from source, rebuild without modules you do not use. Every compiled module is attack surface, whether your configuration references it or not.
# Example: build without mp4 and dav modules
./configure --without-http_mp4_module --without-http_dav_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_moduleRun NGINX behind a reverse proxy or WAF. A Caddy reverse proxy or a managed WAF adds a layer between the internet and your NGINX process. This does not fix vulnerabilities, but it limits what an attacker can send directly to NGINX.
Set up intrusion detection. Fail2ban or CrowdSec can detect and block anomalous request patterns before they reach your application. CrowdSec’s community blocklists are particularly effective against known exploit scanners.
Restrict admin access. Ensure SSH and any management interfaces are only accessible via VPN. A WireGuard VPN is the simplest way to lock down remote admin access on a VPS.
Enable automatic security updates. On Ubuntu/Debian:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgradesThis handles security patches automatically while leaving major version changes for manual review.
Timeline
| Date | Event |
|---|---|
| March 24, 2026 | NGINX releases versions 1.28.3 and 1.29.7 with fixes for 4 CVEs |
| March 24, 2026 | CVE-2026-32647, CVE-2026-27654, CVE-2026-27784, CVE-2026-27651 published |
| March 26, 2026 | Distribution packages propagating — check your package manager |
Who Needs to Act
You need to upgrade if any of these apply:
- You run NGINX on a VPS, dedicated server, or container
- Your NGINX version is older than 1.28.3 (stable) or 1.29.7 (mainline)
- You serve MP4 files or have the MP4 module compiled in (most packages do)
- You use WebDAV with the
aliasdirective - You use NGINX as a mail proxy
If you are running NGINX as part of a hosting control panel (cPanel, Plesk, CyberPanel), check with your panel vendor for their patched release. Do not manually replace the NGINX binary on a managed panel — it will be overwritten on the next panel update.
For self-hosted NGINX on a Cloud VPS with root access, the upgrade commands above apply directly. If you prefer not to manage security patches yourself, CWH Managed Support handles patching, monitoring, and configuration hardening for your server.
Next Steps
- Run
nginx -vright now — if it says anything below 1.28.3, you are vulnerable - Check which modules are compiled in with
nginx -V - Upgrade using the commands for your distribution above
- Verify the upgrade with
nginx -t && sudo nginx -s reload - Review your access logs for suspicious MP4 requests
- Disable any modules you do not actively use
Four CVEs in a single release is unusual for NGINX. Two of them involve memory corruption with potential code execution. The patches have been available since March 24 — every day you wait is a day your server is running with known exploitable vulnerabilities. Upgrade today.
Be First to Comment