The nginx project has released nginx 1.29.5, a mainline update that includes a security fix for an SSL upstream injection vulnerability, tracked as CVE-2026-1642.
The patched vulnerability affects certain configurations where nginx proxies traffic to upstream servers over TLS. Under specific conditions, an attacker positioned between nginx and its upstream server could potentially inject plaintext data into the response stream, undermining assumptions about the integrity of encrypted upstream connections.
The new 1.29.5 version addresses this issue alongside a collection of routine fixes and improvements, including proxy handling adjustments, logging updates, documentation clarifications, and maintenance changes across supported platforms. While these updates are secondary to the security fix, they contribute to overall stability and reliability.
It is primarily relevant to environments that use nginx as a reverse proxy for TLS-encrypted upstream traffic. In such deployments, the update resolves a software-level issue in upstream SSL handling rather than a configuration or operational weakness.
Anyone using nginx to forward traffic to other servers over encrypted (TLS) connections should verify the nginx version currently running on their system. If you installed nginx directly from the nginx project, updating to version 1.29.5 applies the fix. If nginx was installed through your operating system or hosting provider, run your normal system update process and install any available nginx updates released after this security fix. Once updated, restarting nginx is enough for the change to take effect.
For full release notes and source packages, visit the nginx official GitHub advisory page here.
Leave a Reply