Skip to content

NGINX

vrelease-1.31.0 scope: release Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 21d Reverse Proxies & Load Balancers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 6 known CVEs

Topics

content-cache http http2 http3 https load-balancing
+9 more
mail-proxy-server nginx quic proxy security tcp-proxy-server tls udp-proxy-server web-server

Affected surfaces

rce_ssrf breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 13d

NGINX 1.31.0 fixes six security vulnerabilities across proxy, rewrite, SCGI/UWSGI, charset, HTTP/3, and OCSP modules. The release adds HTTP forward proxy support with CONNECT method and upstream load balancing.

Why it matters: Six security fixes span multiple modules: request injection, buffer overflows/overreads, address spoofing, and use-after-free in OCSP. Patch immediately; test HTTP proxy features in dev before production rollout.

Summary

AI summary

CVE fixes for multiple vulnerabilities and added HTTP forward proxy support.

Changes in this release

Security Medium

Fixes HTTP/2 request injection vulnerability in proxy module

Fixes HTTP/2 request injection vulnerability in proxy module

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fixes buffer overflow vulnerability in rewrite module

Fixes buffer overflow vulnerability in rewrite module

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fixes buffer overread vulnerabilities in SCGI and UWSGI modules

Fixes buffer overread vulnerabilities in SCGI and UWSGI modules

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fixes buffer overread vulnerability in charset module

Fixes buffer overread vulnerability in charset module

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fixes address spoofing vulnerability in HTTP/3

Fixes address spoofing vulnerability in HTTP/3

Source: llm_adapter@2026-05-21

Confidence: low
Security Medium

Fixes use-after-free vulnerability in OCSP resolver requests

Fixes use-after-free vulnerability in OCSP resolver requests

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Supports HTTP forward proxy

Supports HTTP forward proxy

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Supports HTTP CONNECT proxy

Supports HTTP CONNECT proxy

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Adds upstream least_time load balancing for HTTP and stream

Adds upstream least_time load balancing for HTTP and stream

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Supports connection specific headers

Supports connection specific headers

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Adds ALPN support for proxy_ssl upstream

Adds ALPN support for proxy_ssl upstream

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Adds configure synonym for upstream sticky module option

Adds configure synonym for upstream sticky module option

Source: llm_adapter@2026-05-21

Confidence: low
Performance Medium

Optimizes HTTP/3 encoder stream memory usage

Optimizes HTTP/3 encoder stream memory usage

Source: llm_adapter@2026-05-21

Confidence: high
Performance Medium

Optimizes Stream proxy_ssl_alpn evaluation to once

Optimizes Stream proxy_ssl_alpn evaluation to once

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Restricts duplicate TE headers in HTTP/2 and HTTP/3

Restricts duplicate TE headers in HTTP/2 and HTTP/3

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixes empty request body buffering special case

Fixes empty request body buffering special case

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Improves DAV path validation for COPY and MOVE operations

Improves DAV path validation for COPY and MOVE operations

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixes HTTP/2 proxy keepalive when no body specified

Fixes HTTP/2 proxy keepalive when no body specified

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Prevents undefined behaviour in memcpy via ngx_init_cycle

Prevents undefined behaviour in memcpy via ngx_init_cycle

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Rejects HTTP CONNECT method with no port after colon

Rejects HTTP CONNECT method with no port after colon

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixes SSL logging level for RECORD_LAYER_FAILURE

Fixes SSL logging level for RECORD_LAYER_FAILURE

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fixes gcc version detection in configure

Fixes gcc version detection in configure

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Low

Logs SSL_R_RECORD_LAYER_FAILURE at info level instead of error

Logs SSL_R_RECORD_LAYER_FAILURE at info level instead of error

Source: granite4.1:30b@2026-05-22-audit

Confidence: low
Full changelog

nginx-1.31.0 mainline version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701). Additionally, the release features support for HTTP forward proxy.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

  • GH: add a workflow to check for the 'version bump' commit by @ac000 in https://github.com/nginx/nginx/pull/1240
  • Connection specific headers by @arut in https://github.com/nginx/nginx/pull/1257
  • Updated OpenSSL used for win32 builds. by @pluknet in https://github.com/nginx/nginx/pull/1269
  • SSL: logging level fixes. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1258
  • Changes in ngx_quic_cbs_recv_rcd() by @pluknet in https://github.com/nginx/nginx/pull/1279
  • SSL: log SSL_R_RECORD_LAYER_FAILURE at info level by @Smeet23 in https://github.com/nginx/nginx/pull/1267
  • Restrict duplicate TE headers in HTTP/2 and HTTP/3. by @arut in https://github.com/nginx/nginx/pull/1275
  • HTTP/3: optimize encoder stream memory usage by @arut in https://github.com/nginx/nginx/pull/1274
  • Stream: support ALPN for proxy_ssl upstream. by @VadimZhestikov in https://github.com/nginx/nginx/pull/1109
  • Prevent Undefined Behaviour in memcpy(3) via ngx_init_cycle() by @ac000 in https://github.com/nginx/nginx/pull/1082
  • GH: Add various bits of GitHub automation by @ac000 in https://github.com/nginx/nginx/pull/1172
  • Configure: added synonym for the upstream sticky module option by @hyuan-netizen in https://github.com/nginx/nginx/pull/1292
  • Stream: evaluate proxy_ssl_alpn once by @pluknet in https://github.com/nginx/nginx/pull/1304
  • Request body: fixed empty body buffering special case. by @pluknet in https://github.com/nginx/nginx/pull/977
  • Configure: fix gcc version detection in some corner cases by @ac000 in https://github.com/nginx/nginx/pull/1305
  • Upstream: least_time load balancing for HTTP and stream. by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1306
  • Dav: improved path validation for COPY and MOVE operations by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1307
  • Proxy: fix keepalive for HTTP/2 when no body is specified by @arut in https://github.com/nginx/nginx/pull/1314
  • GH: update the stale PR/issue workflow by @ac000 in https://github.com/nginx/nginx/pull/1315
  • HTTP CONNECT proxy. by @arut in https://github.com/nginx/nginx/pull/707
  • Reject HTTP CONNECT method with no port after colon by @pluknet in https://github.com/nginx/nginx/pull/1335
  • GH: set new issues creation date by @ac000 in https://github.com/nginx/nginx/pull/1272
  • nginx-1.31.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1350

New Contributors

  • @Smeet23 made their first contribution in https://github.com/nginx/nginx/pull/1267
  • @hyuan-netizen made their first contribution in https://github.com/nginx/nginx/pull/1292
  • @saikrishnakumarreddy made their first contribution in https://github.com/nginx/nginx/pull/1306

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.8...release-1.31.0

Security Fixes

  • CVE-2026-42926 — HTTP/2 request injection vulnerability in ngx_http_proxy_module
  • CVE-2026-42945 — Buffer overflow vulnerability in ngx_http_rewrite_module
  • CVE-2026-42946 — Buffer overread vulnerabilities in ngx_http_scgi_module and ngx_http_uwsgi_module
  • CVE-2026-42934 — Buffer overread vulnerability in ngx_http_charset_module
  • CVE-2026-40460 — Address spoofing vulnerability in HTTP/3
  • CVE-2026-40701 — Use-after-free vulnerability in OCSP requests to resolver
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track NGINX

Get notified when new releases ship.

Sign up free

About NGINX

HTTP and reverse proxy server, mail proxy server, and generic TCP/UDP proxy server.

All releases →

Related context

Beta — feedback welcome: [email protected]