CVE-2026-32682 | When NGINX Gateway Fabric is configured using GRPCRoutes, an… | CVSS 6.5 MEDIUM

Description

When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metadata

CVE ID: CVE-2026-32682
State: PUBLISHED
Assigner: f5
Reserved: 2026-06-17 16:35 UTC
Published: 2026-06-17 20:05 UTC
Last updated: 2026-06-17 20:05 UTC
Primary CWE: CWE-129
CWE-129 Improper Validation of Array Index
Vendor / Product: F5 / NGINX Gateway Fabric
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
F5	NGINX Gateway Fabric	—	1.3.0 < 2.6.4

Weakness (CWE)

CWE	Source	Description
CWE-129	cna	CWE-129 Improper Validation of Array Index

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (1)

https://my.f5.com/manage/s/article/K000161786